From owner-freebsd-questions@FreeBSD.ORG Fri Jan 21 15:41:01 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 969C216A4CE for ; Fri, 21 Jan 2005 15:41:01 +0000 (GMT) Received: from smtpauth07.mail.atl.earthlink.net (smtpauth07.mail.atl.earthlink.net [209.86.89.67]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6779643D2F for ; Fri, 21 Jan 2005 15:41:01 +0000 (GMT) (envelope-from algould@datawok.com) Received: from [206.255.31.21] (helo=[192.168.63.10]) by smtpauth07.mail.atl.earthlink.net with asmtp (TLSv1:RC4-MD5:128) (Exim 4.34) id 1Cs0uC-0006dG-R1 for freebsd-questions@freebsd.org; Fri, 21 Jan 2005 10:41:00 -0500 From: "Andrew L. Gould" To: freebsd-questions@freebsd.org Date: Fri, 21 Jan 2005 09:41:03 -0600 User-Agent: KMail/1.6.2 References: <200501210820.45744.algould@datawok.com> In-Reply-To: <200501210820.45744.algould@datawok.com> MIME-Version: 1.0 Content-Disposition: inline Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Message-Id: <200501210941.03944.algould@datawok.com> X-ELNK-Trace: ee791d459e3d6817d780f4a490ca69563f9fea00a6dd62bc914a60d33d1aef598a30df668ad5e935350badd9bab72f9c350badd9bab72f9c350badd9bab72f9c X-Originating-IP: 206.255.31.21 Subject: workaround: Re: 'nat pass' not working in PF X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Jan 2005 15:41:01 -0000 On Friday 21 January 2005 08:20 am, Andrew L. Gould wrote: > I'm running pf in FreeBSD 5.3 on my laptop. The filters for the > local box work fine. > > I'm also working on a pc for a friend; but ran out of ethernet ports > in my router. This pc doesn't have a wireless adapter; so I adjusted > my pf rules to use my laptop as a gateway for the pc. > > I want my filters to remain intact for the laptop; but I want nat to > let all the pc's traffic through. (It has it's own firewall.) > According the OpenBSD pf tutorial, adding the word 'pass' after 'nat' > in the nat command will allow nat traffic to bypass the filter rules. > Unfortunately, this doesn't seem to work. > > If my default 'block log all' rule is left uncommented, I can only > ping ip addresses (not host names that require nameservers). No > other activity passes through. If I comment it out, all traffic > passes; but my laptop is left unprotected. > > Any advice? > > The relevant lines from my pf rules follow: > > ifdev = "ath0" > natdev = "fxp0" > scrub in all no-df > nat pass on $ifdev from $natdev:network to any -> $ifdev > icmp_types = "echoreq" > block log all > #other filtering rules follow > > Thanks, > > Andrew Gould I added a 'pass in' rule for $natdev; and it seems to work. Although, I dislike it because it's one more line to remember to comment-out when I'm not nat-ing. Thanks, Andrew Gould