Date: Tue, 18 Jan 2005 10:29:00 +0100 From: Eric Masson <e-masson@kisoft-services.com> To: Max Laier <max@love2party.net> Cc: Mailing List FreeBSD PF <freebsd-pf@FreeBSD.org> Subject: Re: pf & clonable devices Message-ID: <86r7kj3x2b.fsf@srvbsdnanssv.interne.kisoft-services.com> In-Reply-To: <200501172327.13677.max@love2party.net> (Max Laier's message of "Mon, 17 Jan 2005 23:27:03 %2B0100") References: <86k6qcynus.fsf@srvbsdnanssv.interne.kisoft-services.com> <200501172327.13677.max@love2party.net>
next in thread | previous in thread | raw e-mail | index | archive | help
>>>>> "Max" == Max Laier <max@love2party.net> writes:
Hi Max,
Max> Just guessing, but I assume you forgot to use round brackets
Max> around your NAT and from/to addresses. It should look like the
Max> following:
Don't think so but maybe, I'm wrong :
# macros
int_if = "xl0"
ext_if = "ppp0"
tun_if = "ppp1"
tcp_services = "{ 22 }"
icmp_types = "echoreq"
priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
# options
set block-policy return
set loginterface $ext_if
# scrub
scrub in all
# nat/rdr
nat on $ext_if from $int_if:network to any -> ($ext_if)
# filter rules
block in log all
block out log all
pass in quick on lo0 all
pass out quick on lo0 all
pass in quick on $int_if all
pass out quick on $int_if all
pass in quick on $tun_if all
pass out quick on $tun_if all
block drop in quick on $ext_if from $priv_nets to any
block drop out quick on $ext_if from any to $priv_nets
pass in on $ext_if inet proto tcp from any to ($ext_if) \
port $tcp_services flags S/SA keep state
pass in inet proto icmp all icmp-type $icmp_types keep state
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state
Max> If you have it this way, you should send more details about your
Max> ruleset, maybe to the freebsd-pf mailinglist.
I've just subscribed to this list, followup there, so.
Éric Masson
--
Alors, une bonne fois pour toutes : le 1er janvier 2000 à 00h00h01s,
on aura déjà entamé 2001, année qui sera entièrement révolue le 1er
janvier 2001 à 00h00m00s.
-+- JCM in GNU: toujours un an d'avance sur la concurrence -+-
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?86r7kj3x2b.fsf>