From owner-freebsd-questions@FreeBSD.ORG Wed Jan 19 17:25:40 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7CFFF16A4CE for ; Wed, 19 Jan 2005 17:25:40 +0000 (GMT) Received: from orchid.homeunix.org (avv40.neoplus.adsl.tpnet.pl [83.27.55.40]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5399443D39 for ; Wed, 19 Jan 2005 17:25:39 +0000 (GMT) (envelope-from freebsd@orchid.homeunix.org) Received: from [192.168.1.66] (blackacidevil.orchid.homeunix.org [192.168.1.66]) (authenticated bits=0) by orchid.homeunix.org (8.13.1/8.13.1) with ESMTP id j0JHPUs7089549 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 19 Jan 2005 18:25:37 +0100 (CET) (envelope-from freebsd@orchid.homeunix.org) Message-ID: <41EE980C.3010800@orchid.homeunix.org> Date: Wed, 19 Jan 2005 18:25:32 +0100 From: Karol Kwiatkowski User-Agent: Mozilla Thunderbird 1.0 (X11/20050114) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Kosta Kilim References: <20050119160627.GB11546@SDF.LONESTAR.ORG> In-Reply-To: <20050119160627.GB11546@SDF.LONESTAR.ORG> X-Enigmail-Version: 0.90.0.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV 0.80/663/Tue Jan 11 23:44:48 2005 clamav-milter version 0.80j on orchid.homeunix.org X-Virus-Status: Clean cc: freebsd-questions@freebsd.org Subject: Re: PF and NAT on FreeBSD 5.3 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: freebsd@orchid.homeunix.org List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Jan 2005 17:25:40 -0000 Kosta Kilim wrote: > Hello, > > I'm trying to setup a PF with NAT for my home network. > > PF is compiled into the kernel(FreeBSD 5.3, fresh cvsup) and working, > I can do pfctl -e|-d|-s just fine. And pflog0 is seen in the > ifconfig's output. > > My IP range is: class C /29 > > I have a ADSL router which works in bridged mode. So I connect to the > ISP, get an static address for the router, then I assign one to the > machine I'd like to act as a firewall from the /29 range. > > So router takes one and the machine take one address from class > C/29. The other address can be ignored. I don't want to use them. > > For the rest of the machines on the network I'd like them to go > through this machine, which I'd like it to do NAT using PF. > > The machine has the IP from the class C /29 range, and 192.168.0.0/27 > on the other NIC. > > So what I'd like to know, is how do I write the rules to perfom > this. I thought that just taking the rules from the first example of > the PF tutorial would do, I changed them slightly to suit my > scenario. But still I can only go to the net with the one machine on > the class C /29 subnet. pf rules looks OK. Wild guess: have you enabled packet forwarding? You can check it with sysctl(8): # sysctl net.inet.ip.forwarding net.inet.ip.forwarding: 1 To enable this at boot time put gateway_enable="YES" in your /etc/rc.conf Also check the handbook (25.2.4 Building a Router chapter): http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-routing.html > Any hints would be gladly received. Thank you for your time. You're welcome (I'm not sure if that helps, though). Regards, Karol > # macros, these are renamed to my NIC names > int_if = "fxp0" > ext_if = "ep0" > > tcp_services = "{ 22 }" > icmp_types = "echoreq" > > priv_nets = "{ 127.0.0.0/8, 192.168.0.0/27 }" > > # options > set block-policy return > set loginterface $ext_if > > # scrub > scrub in all > > # nat > nat on $ext_if from $int_if:network to any -> ($ext_if) > > > # filter rules > block all > > pass quick on lo0 all > > block drop in quick on $ext_if from $priv_nets to any > block drop out quick on $ext_if from any to $priv_nets > > pass in on $ext_if inet proto tcp from any to ($ext_if) \ > port $tcp_services flags S/SA keep state > > pass in inet proto icmp all icmp-type $icmp_types keep state > > pass in on $int_if from $int_if:network to any keep state > pass out on $int_if from any to $int_if:network keep state > > pass out on $ext_if proto tcp all modulate state flags S/SA > pass out on $ext_if proto { udp, icmp } all keep state > > -- Karol Kwiatkowski