From owner-freebsd-pf@FreeBSD.ORG Thu Oct 21 20:57:18 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2B2D816A4CE for ; Thu, 21 Oct 2004 20:57:18 +0000 (GMT) Received: from tensor.xs4all.nl (tensor.xs4all.nl [194.109.160.97]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9C9F543D39 for ; Thu, 21 Oct 2004 20:57:17 +0000 (GMT) (envelope-from dimitry@andric.com) Received: from kilgore.dim (kilgore.dim [192.168.0.3]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by tensor.xs4all.nl (Postfix) with ESMTP id 1536A22852; Thu, 21 Oct 2004 22:57:15 +0200 (CEST) Date: Thu, 21 Oct 2004 22:56:52 +0200 From: Dimitry Andric X-Mailer: The Bat! (v3.0.2.1) Professional X-Priority: 3 (Normal) Message-ID: <1415983562.20041021225652@andric.com> To: Matteo Riondato In-Reply-To: <1098391754.909.16.camel@kaiser.sig11.org> References: <1098383388.909.3.camel@kaiser.sig11.org> <1098391754.909.16.camel@kaiser.sig11.org> MIME-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg="pgp-sha1"; boundary="----------198121F385E4979" cc: freebsd-pf@freebsd.org Subject: Re: Another problem with pf.. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Oct 2004 20:57:18 -0000 ------------198121F385E4979 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable On 2004-10-21 at 22:49:14 Matteo Riondato wrote: > ext_if =3D "tun0" > wifi_if =3D "rl0" > eth_if =3D "fxp1" > wifi_net =3D "192.168.1.0/27" > eth_net =3D "192.168.0.0/29" > tcp_services =3D "{ 22, 80, 25, 4660 >< 4683, 6890 >< 6901 }" > icmp_types =3D "{ 0, 3, 8, 11 }" > scrub in all fragment reassemble > block drop all > pass quick on lo0 all > block drop in log quick on ! rl0 inet from 192.168.1.0/24 to any > block drop in log quick inet from 192.168.1.1 to any > block drop in quick on ! fxp1 inet from 192.168.0.0/24 to any > block drop in quick inet from 192.168.0.1 to any > pass in on tun0 inet proto tcp from any to 82.52.115.76 port =3D ssh flag= s S/SA keep state > pass in on tun0 inet proto tcp from any to 82.52.115.76 port =3D http fla= gs S/SA keep state > pass in on tun0 inet proto tcp from any to 82.52.115.76 port =3D smtp fla= gs S/SA keep state > pass in on tun0 inet proto tcp from any to 82.52.115.76 port 4660 >< 4683= flags S/SA keep state > pass in on tun0 inet proto tcp from any to 82.52.115.76 port 6890 >< 6901= flags S/SA keep state > pass inet proto icmp all icmp-type echorep > pass inet proto icmp all icmp-type unreach > pass inet proto icmp all icmp-type echoreq > pass inet proto icmp all icmp-type timex > pass in on rl0 inet from 192.168.1.0/27 to any keep state > pass out on rl0 inet from any to 192.168.1.0/27 keep state > pass in on fxp1 inet from 192.168.0.0/29 to any keep state > pass out on fxp1 inet from any to 192.168.0.0/29 keep state > pass in on rl0 inet from 192.168.1.200 to 192.168.1.1 keep state > pass out on rl0 inet from 192.168.1.1 to 192.168.1.200 keep state > pass out on tun0 proto tcp all flags S/SA modulate state > pass out on tun0 proto udp all keep state > pass out on tun0 proto icmp all keep state Hm, so your rules seem to be okay. Do I miss something, or don't I see any NAT rule in there? Next question is: what happens if you manually run /etc/rc.d/pf start or reload? ------------198121F385E4979 Content-Type: application/pgp-signature -----BEGIN PGP MESSAGE----- Version: GnuPG v1.2.5 (MingW32) iD8DBQFBeCKUsF6jCi4glqMRAkcgAKCLWAN816USa+KO8bc6ux39R2841QCg04xs 0iClWxNVF57yy00XZ1RNmu8= =otv2 -----END PGP MESSAGE----- ------------198121F385E4979--