From owner-freebsd-pf@FreeBSD.ORG Sat Feb 13 18:27:08 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0D22F1065670 for ; Sat, 13 Feb 2010 18:27:08 +0000 (UTC) (envelope-from whereisalext@gmail.com) Received: from mail-pz0-f184.google.com (mail-pz0-f184.google.com [209.85.222.184]) by mx1.freebsd.org (Postfix) with ESMTP id DAF168FC08 for ; Sat, 13 Feb 2010 18:27:07 +0000 (UTC) Received: by pzk14 with SMTP id 14so4035177pzk.3 for ; Sat, 13 Feb 2010 10:27:07 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type; bh=bmx6ORwXZdEDADed3Aa7Hto2Mycs+ODZ/DFOI436Weg=; b=ap5hKZcDSpYPvcujHb0cx5V7bfjuVD6YSJrP/mxwj9w/6jQhtEJYIoCJIrkJ3qap5e HKvY7cRGXn1dhynTKZ/Mt/njIvBD97UoHPM8l5kFi6Cw8nkpYJfNk3hoFuHNdzlVzxSO j8JzanEWW2Uxc+uOHoxQnkFdw2ea+xjVse/pg= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=oitfj/E9kayppnLwfUXdBGu01xUhJmcYK7NWP0d2aCzrQjDokisAPLo6E1hYTLJEFw RdWNSA1Af27Nnd3Wmq6G5s3jHGfmYnnMLZ0qAg+k2qCf9z43EMl5o7yLNMxkZjcrHb6z LTTjwiSaW4VrtB5gEKL+f/tLBMRxx1DZlqaRQ= MIME-Version: 1.0 Received: by 10.142.61.42 with SMTP id j42mr2005904wfa.26.1266084322697; Sat, 13 Feb 2010 10:05:22 -0800 (PST) Date: Sat, 13 Feb 2010 10:05:22 -0800 Message-ID: From: Alex Teslik To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: pf: nat works, ip blocking and logging do not X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 13 Feb 2010 18:27:08 -0000 I setup pf with nat on my Freebsd 7 system: [gouda:root]/root# pfctl -sa -vvvv No ALTQ support in kernel ALTQ related functions disabled TRANSLATION RULES: @0 nat on em0 inet from 192.168.4.0/24 to any -> (em0) round-robin [ Evaluations: 29986 Packets: 67086 Bytes: 54746182 States: 21 ] [ Inserted: uid 0 pid 66358 ] FILTER RULES: @0 scrub in all fragment reassemble [ Evaluations: 1030123 Packets: 539441 Bytes: 76737270 States: 0 ] [ Inserted: uid 0 pid 66358 ] @0 block drop in log (all) quick on em0 inet from 11.11.11.111 to any [ Evaluations: 75127 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 66358 ] @1 block drop in log (all) quick on em0 inet from 22.22.22.222 to any [ Evaluations: 32476 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 66358 ] @2 block drop out log (all) quick on em0 inet from 11.11.11.111 to any [ Evaluations: 56044 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 66358 ] @3 block drop out log (all) quick on em0 inet from 22.22.22.222 to any [ Evaluations: 23568 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 66358 ] @4 pass in all flags S/SA keep state [ Evaluations: 75130 Packets: 311544 Bytes: 126402695 States: 62 ] [ Inserted: uid 0 pid 66358 ] @5 pass out all flags S/SA keep state [ Evaluations: 75130 Packets: 239954 Bytes: 97798568 States: 55 ] [ Inserted: uid 0 pid 66358 ] nat works great. Unfortunately, I can still go to 11.11.11.111 or 22.22.22.222 with no blocking and no logging on /var/log/pflog. When I tcpdump listen to pflog0 there are no entries when I go to those ips. What am I doing wrong here that is preventing logging and blocking from working? [gouda:root]/root# tcpdump -vvveni pflog0 tcpdump: WARNING: pflog0: no IPv4 address assigned tcpdump: listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 96 bytes [gouda:root]/root# cat /etc/pf.conf ext_if="em0" int_if="sk0" set skip on lo0 scrub in nat on $ext_if from $int_if:network to any -> ($ext_if) block drop in log (all) quick on $ext_if from { 11.11.11.111, 22.22.22.222 } to any block drop out log (all) quick on $ext_if from { 11.11.11.111, 22.22.22.222 } to any pass in all pass out all Thank you for your thoughts.