From owner-freebsd-stable@FreeBSD.ORG Sun Jul 8 13:34:12 2007 Return-Path: X-Original-To: stable@freebsd.org Delivered-To: freebsd-stable@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 2327E16A400 for ; Sun, 8 Jul 2007 13:34:12 +0000 (UTC) (envelope-from hlh@restart.be) Received: from tignes.restart.be (tignes.restart.be [213.251.163.210]) by mx1.freebsd.org (Postfix) with ESMTP id B110D13C448 for ; Sun, 8 Jul 2007 13:34:11 +0000 (UTC) (envelope-from hlh@restart.be) Received: from restart.be (ip-83-134-208-129.dsl.scarlet.be [83.134.208.129]) by tignes.restart.be (8.13.8/8.13.8) with ESMTP id l68D23jM067392 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for ; Sun, 8 Jul 2007 15:02:04 +0200 (CEST) (envelope-from hlh@restart.be) Received: from morzine.restart.bel (morzine.restart.bel [192.168.24.2]) (authenticated bits=0) by restart.be (8.14.1/8.14.1) with ESMTP id l68D20NO058417 for ; Sun, 8 Jul 2007 15:02:00 +0200 (CEST) (envelope-from hlh@restart.be) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=restart.be; s=avoriaz; t=1183899723; bh=+bPlOM035TCl/yt+ySXhFetyMPcwiwBky8hTIgG +fyM=; h=DomainKey-Signature:Message-ID:Date:From:Organization: User-Agent:MIME-Version:To:Subject:References:In-Reply-To: Content-Type:Content-Transfer-Encoding:X-Scanned-By; b=Azpc4h9x4MD +MVKUIfBks6k1KgUF0LHkDjeL3a7knI1FYM5U8vyX0Mc7QwJF0dPluKRJS8I9lwAwur 7BRH9qmQ== DomainKey-Signature: a=rsa-sha1; s=avoriaz; d=restart.be; c=nofws; q=dns; h=message-id:date:from:organization:user-agent:mime-version:to: subject:references:in-reply-to:content-type: content-transfer-encoding:x-scanned-by; b=sgeDHKjTrMAWtI0OB8egn/sqT27NaeMlKa3N8XzdQfA6e2NdG7yf/mjb7ZRBvQsv1 YxEeBiyuWxWx/scFQ4V1Q== Message-ID: <4690E048.7010405@restart.be> Date: Sun, 08 Jul 2007 15:02:00 +0200 From: Henri Hennebert Organization: RestartSoft User-Agent: Thunderbird 2.0.0.4 (X11/20070616) MIME-Version: 1.0 To: stable@freebsd.org References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.61 on 192.168.24.1 Cc: Subject: Re: PF Question X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 08 Jul 2007 13:34:12 -0000 Morgan Reed wrote: > Not sure if this is the most appropriate place to ask, feel free to > redirect me if it isn't. > > I've got an issue with a simple NAT with pf. > > I've got two machines; > the first (I will call m1) has 2 ethernet interfaces (I will call them > m1.0 and m1.1) > the second (I will call m2) has 1 ethernet interface (I will call it m2.0) > > m1.0 faces my LAN, m1.1 and m2.0 are on a separate, isolated segment. > > what I need to be able to do is to access the "outside world" from m2 > and be able to get to Ports 80, 443 and 3128 on m2 from my LAN by > connecting to ports 80, 443 and 3128 on m1 and having traffic > forwarded appropriately. > > m1.0 - 192.168.0.X/24 (DHCP assigned) > m1.1 - 192.168.1.2/24 > m2.0 - 192.168.1.30/24 > > /etc/pf.conf > ========================================================= > > ext_if="m1.0" > int_if="m1.1" > > nat on $ext_if from !($ext_if) -> ($ext_if:0) I think traffic comming back is natted a second time ??? I prefer: nat on $ext_if from $int_if:network to any -> ($ext_if) > > rdr pass on $ext_if proto tcp to port 80 -> 192.168.1.30 port 80 > rdr pass on $ext_if proto tcp to port 443 -> 192.168.1.30 port 443 > rdr pass on $ext_if proto tcp to port 3128 -> 192.168.1.30 port 3128 I would also nat on int_if in this case -- except for m1. no nat on $int_if proto tcp from $int_if to $int_if:network nat on $int_if proto tcp from $int_if:network to 192.168.1.30 port {80 443 3128 } -> $int_if Henri > > pass in keep state > pass out keep state > > ========================================================= > > The current status is as follows; > * I can ping m1.0 from m2 > * I can't ping any of the other address on the 192.168.0.0/24 network > from m2 > > - tcpdump'ing m1.1 > * Connecting to one of the forwarded ports on m1.0 I see nothing > * Connecting from m2 to a host on the LAN I see the connections going > out but, not coming back > > Your assistance is greatly appreciated. > > Morgan > _______________________________________________ > freebsd-stable@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org"