Date: Fri, 21 Jan 2005 09:41:03 -0600 From: "Andrew L. Gould" <algould@datawok.com> To: freebsd-questions@freebsd.org Subject: workaround: Re: 'nat pass' not working in PF Message-ID: <200501210941.03944.algould@datawok.com> In-Reply-To: <200501210820.45744.algould@datawok.com> References: <200501210820.45744.algould@datawok.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Friday 21 January 2005 08:20 am, Andrew L. Gould wrote: > I'm running pf in FreeBSD 5.3 on my laptop. The filters for the > local box work fine. > > I'm also working on a pc for a friend; but ran out of ethernet ports > in my router. This pc doesn't have a wireless adapter; so I adjusted > my pf rules to use my laptop as a gateway for the pc. > > I want my filters to remain intact for the laptop; but I want nat to > let all the pc's traffic through. (It has it's own firewall.) > According the OpenBSD pf tutorial, adding the word 'pass' after 'nat' > in the nat command will allow nat traffic to bypass the filter rules. > Unfortunately, this doesn't seem to work. > > If my default 'block log all' rule is left uncommented, I can only > ping ip addresses (not host names that require nameservers). No > other activity passes through. If I comment it out, all traffic > passes; but my laptop is left unprotected. > > Any advice? > > The relevant lines from my pf rules follow: > > ifdev = "ath0" > natdev = "fxp0" > scrub in all no-df > nat pass on $ifdev from $natdev:network to any -> $ifdev > icmp_types = "echoreq" > block log all > #other filtering rules follow > > Thanks, > > Andrew Gould I added a 'pass in' rule for $natdev; and it seems to work. Although, I dislike it because it's one more line to remember to comment-out when I'm not nat-ing. Thanks, Andrew Gould
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200501210941.03944.algould>