From owner-freebsd-questions@FreeBSD.ORG Fri Jan 21 17:13:14 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C4F3D16A4CF for ; Fri, 21 Jan 2005 17:13:14 +0000 (GMT) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.202]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2BC8643D58 for ; Fri, 21 Jan 2005 17:13:14 +0000 (GMT) (envelope-from j65nko@gmail.com) Received: by wproxy.gmail.com with SMTP id 71so121414wra for ; Fri, 21 Jan 2005 09:13:11 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=GdsAPn+kgvFATznncSgUNddiX7ESN+9vsXlIsL2GQw3wYfoVSLAPlc7E2tGvoVVPwtWibwD/N15M33PYnp/bWvZlnbfDryvm7UYXu338J39MUj3Y01akdnlIGVMxhE2Mmd13svMBqeEQ724HV0VnhBrHKgq4RtzHjQw2YOIq9J0= Received: by 10.54.10.45 with SMTP id 45mr32880wrj; Fri, 21 Jan 2005 09:13:11 -0800 (PST) Received: by 10.54.37.19 with HTTP; Fri, 21 Jan 2005 09:13:10 -0800 (PST) Message-ID: <19861fba050121091360fa18d3@mail.gmail.com> Date: Fri, 21 Jan 2005 18:13:10 +0100 From: J65nko BSD To: "Andrew L. Gould" In-Reply-To: <200501210820.45744.algould@datawok.com> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit References: <200501210820.45744.algould@datawok.com> cc: freebsd-questions@freebsd.org Subject: Re: 'nat pass' not working in PF X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: J65nko BSD List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Jan 2005 17:13:15 -0000 On Fri, 21 Jan 2005 08:20:45 -0600, Andrew L. Gould wrote: > I'm running pf in FreeBSD 5.3 on my laptop. The filters for the local > box work fine. > > I'm also working on a pc for a friend; but ran out of ethernet ports in > my router. This pc doesn't have a wireless adapter; so I adjusted my > pf rules to use my laptop as a gateway for the pc. > > I want my filters to remain intact for the laptop; but I want nat to let > all the pc's traffic through. (It has it's own firewall.) According > the OpenBSD pf tutorial, adding the word 'pass' after 'nat' in the nat > command will allow nat traffic to bypass the filter rules. > Unfortunately, this doesn't seem to work. > > If my default 'block log all' rule is left uncommented, I can only ping > ip addresses (not host names that require nameservers). No other > activity passes through. If I comment it out, all traffic passes; but > my laptop is left unprotected. > > Any advice? > > The relevant lines from my pf rules follow: > > ifdev = "ath0" > natdev = "fxp0" > scrub in all no-df > nat pass on $ifdev from $natdev:network to any -> $ifdev > icmp_types = "echoreq" > block log all > #other filtering rules follow > > Thanks, > > Andrew Gould How about something like this: EXT_IF = "fxp0" INT_IF = "xl0" TCP_OUT = "{ ssh, www, https, smtp, pop3 }" UDP_OUT = "{ domain }" ICMP_OUT = "echoreq" scrub in all no-df nat on $EXT_IF from $INT_IF:network to any -> $EXT_IF # -- default policy block log from any to any # -- LOOPBACK pass quick on lo0 from any to any # -- EXTERNAL # -- tcp pass out quick on $EXT_IF inet proto tcp from any to any port $TCP_OUT flags S/SA keep state # -- udp pass out quick on $EXT_IF inet proto udp from any to any port $UDP_OUT keep state # -- icmp pass out quick on $EXT_IF inet proto icmp from any to any icmp-type $ICMP_OUT keep state # -- INTERNAL pass on $INT_IF from any to any =Adriaan==