From owner-freebsd-questions@FreeBSD.ORG Wed Jan 19 16:06:54 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EF76816A4CE for ; Wed, 19 Jan 2005 16:06:54 +0000 (GMT) Received: from sdf.lonestar.org (mx.freeshell.org [192.94.73.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8759E43D5C for ; Wed, 19 Jan 2005 16:06:54 +0000 (GMT) (envelope-from kopno@sdf.lonestar.org) Received: from sdf.lonestar.org (IDENT:kopno@norge.freeshell.org [192.94.73.3]) by sdf.lonestar.org (8.12.10/8.12.10) with ESMTP id j0JG6S4f025268 for ; Wed, 19 Jan 2005 16:06:28 GMT Received: (from kopno@localhost) by sdf.lonestar.org (8.12.10/8.12.8/Submit) id j0JG6RO9019144 for freebsd-questions@freebsd.org; Wed, 19 Jan 2005 16:06:27 GMT Date: Wed, 19 Jan 2005 16:06:27 +0000 From: Kosta Kilim To: freebsd-questions@freebsd.org Message-ID: <20050119160627.GB11546@SDF.LONESTAR.ORG> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.2.1i Subject: PF and NAT on FreeBSD 5.3 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Jan 2005 16:06:55 -0000 Hello, I'm trying to setup a PF with NAT for my home network. PF is compiled into the kernel(FreeBSD 5.3, fresh cvsup) and working, I can do pfctl -e|-d|-s just fine. And pflog0 is seen in the ifconfig's output. My IP range is: class C /29 I have a ADSL router which works in bridged mode. So I connect to the ISP, get an static address for the router, then I assign one to the machine I'd like to act as a firewall from the /29 range. So router takes one and the machine take one address from class C/29. The other address can be ignored. I don't want to use them. For the rest of the machines on the network I'd like them to go through this machine, which I'd like it to do NAT using PF. The machine has the IP from the class C /29 range, and 192.168.0.0/27 on the other NIC. So what I'd like to know, is how do I write the rules to perfom this. I thought that just taking the rules from the first example of the PF tutorial would do, I changed them slightly to suit my scenario. But still I can only go to the net with the one machine on the class C /29 subnet. Any hints would be gladly received. Thank you for your time. # macros, these are renamed to my NIC names int_if = "fxp0" ext_if = "ep0" tcp_services = "{ 22 }" icmp_types = "echoreq" priv_nets = "{ 127.0.0.0/8, 192.168.0.0/27 }" # options set block-policy return set loginterface $ext_if # scrub scrub in all # nat nat on $ext_if from $int_if:network to any -> ($ext_if) # filter rules block all pass quick on lo0 all block drop in quick on $ext_if from $priv_nets to any block drop out quick on $ext_if from any to $priv_nets pass in on $ext_if inet proto tcp from any to ($ext_if) \ port $tcp_services flags S/SA keep state pass in inet proto icmp all icmp-type $icmp_types keep state pass in on $int_if from $int_if:network to any keep state pass out on $int_if from any to $int_if:network keep state pass out on $ext_if proto tcp all modulate state flags S/SA pass out on $ext_if proto { udp, icmp } all keep state -- kopno@sdf.lonestar.org SDF Public Access UNIX System - http://sdf.lonestar.org