From owner-freebsd-pf@FreeBSD.ORG Wed Jul 26 20:24:57 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C263C16A4DA for ; Wed, 26 Jul 2006 20:24:57 +0000 (UTC) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [62.65.145.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4D62043D5D for ; Wed, 26 Jul 2006 20:24:55 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (dhartmei@localhost [127.0.0.1]) by insomnia.benzedrine.cx (8.13.4/8.13.4) with ESMTP id k6QKOtl1020573 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Wed, 26 Jul 2006 22:24:55 +0200 (MEST) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.13.4/8.12.10/Submit) id k6QKOsPj021476; Wed, 26 Jul 2006 22:24:54 +0200 (MEST) Date: Wed, 26 Jul 2006 22:24:54 +0200 From: Daniel Hartmeier To: Jeffrey Williams Message-ID: <20060726202454.GG18492@insomnia.benzedrine.cx> References: <44C71D8F.9090007@sailorfej.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <44C71D8F.9090007@sailorfej.net> User-Agent: Mutt/1.5.10i Cc: freebsd-pf@freebsd.org Subject: Re: nat/outbound traffic not passing in pf on FreeBSD 6.1 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Jul 2006 20:24:57 -0000 Can you give us an example of just one connection that doesn't work? Like, local workstation i.i.10.3, connected to em1, matching $inwr, tries to connect to an external host 62.65.145.30. Protocol TCP, source port 12345, destination port 80. The TCP SYN is seen (with tcpdump) incoming on em1. But it's not seen outgoing (NAT'ed to source address o.o.33.46) on em0. > scrub in all fragment reassemble > block drop in log all > pass in on em0 inet proto tcp from any to i.i.10.15 port = ssh keep state > pass in on em0 inet proto tcp from any to o.o.33.46 port = ssh keep state > pass in on em1 inet from i.i.10.0/24 to any keep state > pass out on em0 inet from o.o.33.46 to any keep state > block drop in on ! em0 inet from o.o.33.i/29 to any > block drop in on em0 inet6 from fe80::213:72ff:fe5f:6e6b to any > block drop in inet from o.o.33.46 to any > block drop in on ! em1 inet from i.i.10.0/24 to any > block drop in on em1 inet6 from fe80::213:72ff:fe5f:6e6c to any > block drop in inet from i.i.10.1 to any A packet that doesn't match any of those rules will be passed. Since you don't block outgoing packets at all, you should see the TCP SYN go out on em1 (properly NAT'ed). Since NAT implies keep state, a state entry should be created even if you don't have an explicit 'pass out keep state' rule. Your pfctl -si output shows that there are states created, and that packets are matching those states and passing. You should see the returning TCP SYN+ACK incoming on em1 (with tcpdump), get NAT'ed back to the internal destination address, and leave out on em0. Make sure that there's nothing weird going on with the network cables, i.e. that em0 is really the internal NIC, that the local workstation does not have any other way to reach the external host except through the pf box, and that it's using the pf box as default gateway. If the TCP SYN and SYN+ACK show up in any other order (than described above) on the two interfaces, that would be the clue to the problem. There is no difference between pf on OpenBSD and FreeBSD in this regard, and I very much doubt there is a bug as basic as this still undetected. More likely, there is some other difference between your OpenBSD and FreeBSD setups, as simple as a cable plugged in somewhere :) Daniel