From owner-freebsd-pf@FreeBSD.ORG Thu Jan 27 17:00:06 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9E5CA1065693 for ; Thu, 27 Jan 2011 17:00:06 +0000 (UTC) (envelope-from kevin.wilcox@gmail.com) Received: from mail-gy0-f182.google.com (mail-gy0-f182.google.com [209.85.160.182]) by mx1.freebsd.org (Postfix) with ESMTP id F3E9A8FC26 for ; Thu, 27 Jan 2011 17:00:05 +0000 (UTC) Received: by gyf3 with SMTP id 3so745390gyf.13 for ; Thu, 27 Jan 2011 09:00:05 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:date:message-id:subject:from:to :content-type; bh=nuIe/5NQ18bAQSpMgNbYdj5wfuenmlbMhBb89Tm10Go=; b=A1MGzp2fZCVexefCp0Ow+zMZpGTJQtLJfe0lp/Fh6blTCvyg5MkmmUZDfu5qFsdYay jNtYhGPSjfydUmKrHsTBmqc6MeqTTdT2NsQy9FY5brdYDV4Al41az/btgpg4c6gDMUa0 mMMiMAEdH7l9qRjPGZGPajRS3npLmLNqFkkjA= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=wLXjuRyqtQEp9cJKy37D5UjTRSUKx1VV9pGctfw8jtZJB157w724FLl0t9Yjm0VWKG uPuxX69RtvaLvY75N06nVAY6b3hqTQQLSIZR0BknyOcveYrv2BAXiVARait5E3IbgJVo n3A9GDVEWdrlln6VuLYvQJrcjD8fl1B/8MOlI= MIME-Version: 1.0 Received: by 10.90.100.6 with SMTP id x6mr2491521agb.33.1296146031312; Thu, 27 Jan 2011 08:33:51 -0800 (PST) Received: by 10.90.79.10 with HTTP; Thu, 27 Jan 2011 08:33:51 -0800 (PST) Date: Thu, 27 Jan 2011 11:33:51 -0500 Message-ID: From: Kevin Wilcox To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=UTF-8 Subject: log NAT translations X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Jan 2011 17:00:06 -0000 Hello all. I've been using FreeBSD 7.x and 8.x for bridged firewalls and logging hasn't been an issue. Now I'm moving one of them to NAT and I suddenly realise I have a major problem - I can't log the actual translations. Consider the following: Client A - 10.1.1.1 Client B - 10.1.2.2 Remote server C - some IP out on the Internet Inside firewall interface: 10.1.2.254 Outside firewall interface: 192.168.1.1 The sysadmin for C comes to me and says, "hey, someone from 192.168.1.1, source port 12345, is banging on my server on port 80." I go to the logs for my firewall, logging on both interfaces. The log for the inside interface shows connections from clients A and B going to C on port 80 with source ports 30000 and 40000. I go to the log for the outside interface and see connections going from 192.168.1.1 to server C, destination port 80, source ports 12345 and 23456. My problem is that I can't tie the inside IP:port to the translated IP:port, so while I can narrow it down to a couple of internal IPs, I can't pinpoint which client is being civil and which one is causing the problem. Before I write something to interpret state changes from pfsync, can anyone offer guidance on how to pull those translations? Thanks! kmw