Date: Thu, 16 Sep 2004 04:02:38 -0000 From: "Amir S." <amir@boom.org.il> To: pf4freebsd@freelists.org Subject: [pf4freebsd] nat dynamic ip interface Message-ID: <20040316085734.GA40180@active.ath.cx>
next in thread | raw e-mail | index | archive | help
I'm using FreeBSD 5.2-CURRENT #0: Tue Mar 9 13:05:04 IST 2004.
I have switched to test pf for my nat and firewall,
but I'm having problems with natting my private network to internet.
I have the following interfaces handled by pf:
fxp0 - local network
fxp1 - adsl modem, I connect to it over pppoe using freebsd `ppp`.
tun0 - internet interface
I'm using this rule to do natting:
nat on $ext_if from $int_if:network to any -> ($ext_if)
the problems begins after while my machine is running,=20
my internet connection dies and reconnects,=20
and my interface recevies a new ip.
after this point, all my private network cant connect to the internet
until I do: `pfctl -f /etc/pf.conf`
to reload the settings and then it works again.
this is what `pfctl -s nat` says:
# pfctl -s nat
nat on tun0 inet from 10.10.10.0/24 to any -> (tun0)
rdr on fxp0 inet proto tcp from any to any port =3D ftp -> 127.0.0.1 port=
8021
#
I dont know if this might cause this, but I still have ipfw and ipfilter
compiled in kernel but I dont use them at the moment.
I have attached below my whole pf.conf file:
# $FreeBSD: src/etc/pf.conf,v 1.1 2004/03/08 22:03:27 mlaier Exp $
# $OpenBSD: pf.conf,v 1.21 2003/09/02 20:38:44 david Exp $
#
int_if =3D "fxp0"
adsl_if =3D "fxp1"
ext_if =3D "tun0"
tcp_services =3D "{ 21, 22, 25, 80, 113, 143 }"
icmp_types =3D "echoreq"
priv_nets =3D "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }=
"
set timeout { interval 10, frag 30 }
set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
set timeout { icmp.first 20, icmp.error 10 }
set timeout { other.first 60, other.single 30, other.multiple 60 }
set timeout { adaptive.start 0, adaptive.end 0 }
set limit { states 10000, frags 5000 }
set block-policy drop
set loginterface $ext_if
set fingerprints "/etc/pf.os"
scrub in all
nat on $ext_if from $int_if:network to any -> ($ext_if)
rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021
block all
pass quick on lo0 all
block drop in quick on $ext_if from $priv_nets to any
block drop out quick on $ext_if from any to $priv_nets
pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_service=
s flags S/SA keep state
pass in inet proto icmp all icmp-type $icmp_types keep state
pass in on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state
pass in on $ext_if inet proto tcp from any to ($ext_if) user proxy keep s=
tate
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state
pass out on $adsl_if proto tcp all modulate state flags S/SA group wheel
pass out on $adsl_if proto { udp, icmp } all keep state group wheel
#########################################################################
thanks,
--=20
Amir.
-- Attached file included as plaintext by Ecartis --
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (FreeBSD)
iD8DBQFAVsF+6GJjqfuvOIgRAg6dAJ4lxAOt25/+8neiNRAJh7Z0G01AVQCeMTvk
wb5smSN8xt4LJFBc2YjfWQU=3D
=3DqvVH
-----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040316085734.GA40180>