From owner-freebsd-pf@FreeBSD.ORG Wed Jul 26 18:32:00 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9944216A4DA for ; Wed, 26 Jul 2006 18:32:00 +0000 (UTC) (envelope-from jsimola@gmail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.173]) by mx1.FreeBSD.org (Postfix) with ESMTP id 626AE43D5A for ; Wed, 26 Jul 2006 18:31:59 +0000 (GMT) (envelope-from jsimola@gmail.com) Received: by ug-out-1314.google.com with SMTP id m2so3460918uge for ; Wed, 26 Jul 2006 11:31:58 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=IUAlNXGiITjCKxvwsCRMxwPvoyZU3HFrlzaPCS9tyYPjTAox5kqGEjae1Y1s67//MqiWF963/w2nStKKD1LPHCuewyTXHU6snqK0nqly9KtCesrRGn76xVpMc1bXUOnSu/PqAsbCS14rvicGPxtN8kbUZ7kHObnbirDOmxfkCVE= Received: by 10.78.156.6 with SMTP id d6mr3369639hue; Wed, 26 Jul 2006 11:31:58 -0700 (PDT) Received: by 10.78.196.19 with HTTP; Wed, 26 Jul 2006 11:31:57 -0700 (PDT) Message-ID: <8eea04080607261131g6afe0f4dp9c0ea30f78fc3079@mail.gmail.com> Date: Wed, 26 Jul 2006 11:31:57 -0700 From: "Jon Simola" To: "Jeffrey Williams" In-Reply-To: <44C7AA7F.7060904@sailorfej.net> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <013101c6b0ba$371645d0$152ea8c0@phobos> <44C7AA7F.7060904@sailorfej.net> Cc: freebsd-pf@freebsd.org Subject: Re: SV: nat/outbound traffic not passing in pf on FreeBSD 6.1 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Jul 2006 18:32:00 -0000 On 7/26/06, Jeffrey Williams wrote: > I am not running anything that is trying to use the loopback interface > on this box. Blocking traffic on the loopback will cause many odd problems. Always use set skip on lo > The following rule passes traffic in on the internal interface, "pass in > on $iif inet from $inwr to any keep state", and there is no rule > blocking traffic out on the internal interface. The problem here is that the NAT translation of the packet takes place before pass and block rules are processed. NAT'ed packets appear to be incoming on the internal interface with an IP address of the external interface. So you can pass all traffic on the internal interface, or get a little fancier and use tags with NAT: nat on $ext_if from $int_if:network to !$int_if:network tag NAT -> ($ext_if:0) pass all tagged NAT keep state Or for the minimal ruleset: nat pass on $ext_if from $int_if:network to !$int_if:network -> ($ext_if:0) -- Jon