From owner-freebsd-questions@FreeBSD.ORG Mon Oct 18 17:57:25 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D2728106566B for ; Mon, 18 Oct 2010 17:57:25 +0000 (UTC) (envelope-from kevin.wilcox@gmail.com) Received: from mail-gx0-f182.google.com (mail-gx0-f182.google.com [209.85.161.182]) by mx1.freebsd.org (Postfix) with ESMTP id 8C83A8FC1F for ; Mon, 18 Oct 2010 17:57:25 +0000 (UTC) Received: by gxk3 with SMTP id 3so30649gxk.13 for ; Mon, 18 Oct 2010 10:57:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:date:message-id :subject:from:to:content-type; bh=rSfbQsgjIdfojBeZqItFSnFqck01G+7tgbAIuBKP49g=; b=t88jxh4NOZxZaYkBI4QY4+A1U4AfBmt7AHQw9lfXdi7wDfXru/Jn3XE7RCd6OwN1lN lL6oAr9QBxFn2OyN7GfkjiXps8k510HTnFXuBccZonTdOdTf5CIBCrNord6xcka6IGAr KjEzQhvFxejmEsk2J1ZpJxBbcG/GF6bY9YArM= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=bQKhAsJBdOGIB9GgpxguGWtyaACVB/2UzYOTcTz0t9TyCpf7PKrZu8dNBc4d8Kzwcy iZJxJ6e+Ms7pJZzlS72mQjGivT0VJcsfTCaZW6948KR/S2nkot/a+7thQvIYHJKij++1 teJWfko/AGnB8iSWIOfNGcKgXURl8zoHCC6W0= MIME-Version: 1.0 Received: by 10.90.49.1 with SMTP id w1mr2065307agw.154.1287424644811; Mon, 18 Oct 2010 10:57:24 -0700 (PDT) Received: by 10.90.10.19 with HTTP; Mon, 18 Oct 2010 10:57:24 -0700 (PDT) Date: Mon, 18 Oct 2010 13:57:24 -0400 Message-ID: From: Kevin Wilcox To: Free BSD Questions list Content-Type: text/plain; charset=UTF-8 Subject: pf + NAT + log X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Oct 2010 17:57:25 -0000 Hi everyone. This is probably better suited for freebsd-pf@ but I'll give it a go before spamming YAML. I'm testing NAT on FreeBSD 8.1. My setup is very simple: My workstation -> { internal network switch } -> FreeBSD 8.1routing firewall with squid 3 -> { switch going to Internet } My pf configuration is a bare minimum for passing everything and logging at every stage I can think of. I'll start filtering after I get this sorted out. pf.conf: ======================= ext_if=bge0 int_if=bge1 rdr pass log(all) on $int_if proto tcp from any to any port 80 -> 127.0.0.1 port 3128 nat pass log(all) on $ext_if from $int_if:network to any -> ($ext_if) pass log(all) on $int_if pass log(all) on $ext_if ======================= If my internal workstation is 10.201.201.1, the external interface on my FreeBSD machine is 10.100.100.1 and I ssh to a server at 10.1.1.1, the connection works. On the server I get a connection on port 22 from the FreeBSD router on source port 30000. This is confirmed by netstat and tcpdump on the server. On the workstation, tcpdump and netstat confirm a connection from the workstation to the server; destination port is 22, source port is 10000. On the FreeBSD router, 'pfctl -s s' confirms: all tcp 10.201.201.1:10000 -> 10.100.100.1:30000 -> 10.1.1.1:22 ESTABLISHED:ESTABLISHED Here is where my problem sits. If I do a tcpdump of the pflog, I get an entry from my workstation to the server showing communication from port 10000 to port 22. I get an entry from the FreeBSD router to the server, from port 30000 to port 22. What I don't get, and what I desperately need, is a way to show that the connection from the FreeBSD router to the server is on behalf of my workstation. Have I missed something in the NAT configuration that logs the actual translations? Can you configure pf to log similar to the output of pfctl where it shows something like: