From owner-freebsd-net@FreeBSD.ORG Tue Jan 18 09:29:11 2005 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0C5D216A4CE; Tue, 18 Jan 2005 09:29:11 +0000 (GMT) Received: from mallaury.noc.nerim.net (smtp-102-tuesday.noc.nerim.net [62.4.17.102]) by mx1.FreeBSD.org (Postfix) with ESMTP id 61F0243D2F; Tue, 18 Jan 2005 09:29:10 +0000 (GMT) (envelope-from e-masson@kisoft-services.com) Received: from srvbsdnanssv.interne.kisoft-services.com (kisoft.net1.nerim.net [62.212.107.51]) by mallaury.noc.nerim.net (Postfix) with ESMTP id B054A62DA3; Tue, 18 Jan 2005 10:29:07 +0100 (CET) Received: from localhost (localhost [127.0.0.1])B216BC1A4; Tue, 18 Jan 2005 10:29:06 +0100 (CET) Received: from srvbsdnanssv.interne.kisoft-services.com ([127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 01298-09; Tue, 18 Jan 2005 10:29:01 +0100 (CET) Received: by srvbsdnanssv.interne.kisoft-services.com (Postfix, from userid 1001) id 19957C151; Tue, 18 Jan 2005 10:29:01 +0100 (CET) To: Max Laier In-Reply-To: <200501172327.13677.max@love2party.net> (Max Laier's message of "Mon, 17 Jan 2005 23:27:03 +0100") References: <86k6qcynus.fsf@srvbsdnanssv.interne.kisoft-services.com> <200501172327.13677.max@love2party.net> From: Eric Masson Mail-Followup-To: Mailing List FreeBSD PF X-Operating-System: FreeBSD 5.3-STABLE i386 Date: Tue, 18 Jan 2005 10:29:00 +0100 Message-ID: <86r7kj3x2b.fsf@srvbsdnanssv.interne.kisoft-services.com> User-Agent: Gnus/5.1006 (Gnus v5.10.6) XEmacs/21.4 (Security Through Obscurity, berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-15 Content-Transfer-Encoding: 8bit X-Virus-Scanned: amavisd-new at interne.kisoft-services.com cc: Mailing List FreeBSD Network cc: Mailing List FreeBSD PF Subject: Re: pf & clonable devices X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Jan 2005 09:29:11 -0000 >>>>> "Max" == Max Laier writes: Hi Max, Max> Just guessing, but I assume you forgot to use round brackets Max> around your NAT and from/to addresses. It should look like the Max> following: Don't think so but maybe, I'm wrong : # macros int_if = "xl0" ext_if = "ppp0" tun_if = "ppp1" tcp_services = "{ 22 }" icmp_types = "echoreq" priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }" # options set block-policy return set loginterface $ext_if # scrub scrub in all # nat/rdr nat on $ext_if from $int_if:network to any -> ($ext_if) # filter rules block in log all block out log all pass in quick on lo0 all pass out quick on lo0 all pass in quick on $int_if all pass out quick on $int_if all pass in quick on $tun_if all pass out quick on $tun_if all block drop in quick on $ext_if from $priv_nets to any block drop out quick on $ext_if from any to $priv_nets pass in on $ext_if inet proto tcp from any to ($ext_if) \ port $tcp_services flags S/SA keep state pass in inet proto icmp all icmp-type $icmp_types keep state pass out on $ext_if proto tcp all modulate state flags S/SA pass out on $ext_if proto { udp, icmp } all keep state Max> If you have it this way, you should send more details about your Max> ruleset, maybe to the freebsd-pf mailinglist. I've just subscribed to this list, followup there, so. Éric Masson -- Alors, une bonne fois pour toutes : le 1er janvier 2000 à 00h00h01s, on aura déjà entamé 2001, année qui sera entièrement révolue le 1er janvier 2001 à 00h00m00s. -+- JCM in GNU: toujours un an d'avance sur la concurrence -+-