From owner-freebsd-pf@FreeBSD.ORG  Thu Sep 16 03:39:28 2004
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: by hub.freebsd.org (Postfix, from userid 674)
	id 488C316A4CF; Thu, 16 Sep 2004 03:39:28 +0000 (GMT)
Delivered-To: mlaier@vampire.homelinux.org
Received: (qmail 13885 invoked by uid 1005); 3 Jun 2003 20:34:50 -0000
Delivered-To: max@vampire.homelinux.org
Received: (qmail 13882 invoked from network); 3 Jun 2003 20:34:50 -0000
Received: from moutng.kundenserver.de (212.227.126.189)
  by pd9e39492.dip.t-dialin.net with SMTP; 3 Jun 2003 20:34:50 -0000
Received: from [212.227.126.149] (helo=mxng06.kundenserver.de)
	by moutng.kundenserver.de with esmtp (Exim 3.35 #1)
	id 19NJQq-0003Sx-00
	for max@vampire.homelinux.org; Tue, 03 Jun 2003 23:35:00 +0200
Received: from [206.53.239.180] (helo=turing.freelists.org)
	by mxng06.kundenserver.de with esmtp (Exim 3.35 #1)
	id 19NJQm-00067s-00
	for max@love2party.net; Tue, 03 Jun 2003 23:34:56 +0200
Received: from turing (localhost [127.0.0.1])ESMTP
	id 8DD76390A8B; Tue,  3 Jun 2003 16:31:03 -0500 (EST)
Received: with ECARTIS (v1.0.0; list pf4freebsd);
	Tue, 03 Jun 2003 16:31:01 -0500 (EST)
Delivered-To: pf4freebsd@freelists.org
Received: from churchill.mywebserver.net (churchill.mywebserver.net
	[216.118.80.98])ESMTP id BCB97390A70
	for <pf4freebsd@freelists.org>; Tue,  3 Jun 2003 16:31:00 -0500 (EST)
Received: from 82-43-209-176.cable.ubr10.newm.blueyonder.co.uk
	([82.43.209.176] helo=scum)
	by churchill.mywebserver.net with asmtp (Exim 3.36 #1)
	id 19NJQd-0007aS-00
	for pf4freebsd@freelists.org; Tue, 03 Jun 2003 17:34:47 -0400
From: "Ziad Afra" <ziad.afra@refraction.co.uk>
To: <pf4freebsd@freelists.org>
Message-ID: <000701c32a18$6db7a740$050410ac@scum>
MIME-Version: 1.0
Content-type: text/plain;
  charset=us-ascii
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook, Build 10.0.2627
Importance: Normal
In-Reply-To: <40481.141.3.10.100.1054637166.squirrel@webmail.vampire.homelinux.org>
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
X-AntiAbuse: This header was added to track abuse, please include it with any
	abuse report
X-AntiAbuse: Primary Hostname - churchill.mywebserver.net
X-AntiAbuse: Original Domain - freelists.org
X-AntiAbuse: Originator/Caller UID/GID - [0 0] / [0 0]
X-AntiAbuse: Sender Address Domain - refraction.co.uk
X-archive-position: 18
X-ecartis-version: Ecartis v1.0.0
Sender: pf4freebsd-bounce@freelists.org
Errors-To: pf4freebsd-bounce@freelists.org
X-original-sender: ziad.afra@refraction.co.uk
Precedence: normal
X-list: pf4freebsd
X-UID: 88
X-Length: 6974
X-Mailman-Approved-At: Thu, 16 Sep 2004 03:55:51 +0000
Subject: [pf4freebsd] Re: Version 1.52
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.1
Reply-To: pf4freebsd@freelists.org
List-Id: Technical discussion and general questions about packet filter (pf)
	<freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
Date: Thu, 16 Sep 2004 03:39:28 -0000
X-Original-Date: Tue, 3 Jun 2003 22:38:09 +0100
X-List-Received-Date: Thu, 16 Sep 2004 03:39:28 -0000

All

I still cant get NAT to work correctly on my setup. Its quite
frustrating I must say..

My configuration is as follows:-

FreeBSD XXX.XXX.XXX 5.0-RELEASE FreeBSD 5.0-RELEASE #6: Wed May 14
00:30:11 BST 2003     root@XXX.XXX.XXX:/usr/obj/usr/src/sys/FREE  i386

===[root] ~ # sysctl -a|grep -i forw
kern.smp.forward_signal_enabled: 1
kern.smp.forward_roundrobin_enabled: 1
net.inet.ip.forwarding: 1
net.inet.ip.fastforwarding: 1
net.inet6.ip6.forwarding: 0

===[root] /boot/kernel # pwd
/boot/kernel
###
###
###of concern###
-r-xr-xr-x  1 root  wheel   124916 May 14 01:46 pf.ko
-r-xr-xr-x  1 root  wheel     6844 May 14 01:46 pflog.ko
-r-xr-xr-x  1 root  wheel     8442 May 14 01:46 pfsync.ko

===[root] /boot/kernel # pfctl -sa
scrub in all fragment reassemble 
pass quick on lo0 all 
nat on fxp0 inet from 172.16.4.1 to any -> 172.16.4.11
pfctl: DIOCGETALTQS: Operation not supported by device
Status: Enabled for 1 days 20:58:49             Debug: None

State Table                          Total             Rate
  current entries                        0               
  searches                               0            0.0/s
  inserts                                0            0.0/s
  removals                               0            0.0/s
Counters
  match                                  0            0.0/s
  bad-offset                             0            0.0/s
  fragment                               0            0.0/s
  short                                  0            0.0/s
  normalize                              0            0.0/s
  memory                                 0            0.0/s
tcp.first                   120s
tcp.opening                  30s
tcp.established           86400s
tcp.closing                 900s
tcp.finwait                  45s
tcp.closed                   90s
udp.first                    60s
udp.single                   30s
udp.multiple                 60s
icmp.first                   20s
icmp.error                   10s
other.first                  60s
other.single                 30s
other.multiple               60s
frag                         30s
interval                     10s
states     hard limit  10000
frags      hard limit   5000


===[root] /usr/local/etc # cat pf.conf
# macros
ext_if = "fxp0"
int_if = "fxp1"
int_lan = "172.16.5.255"
# scrub
scrub in all
# nat/rdr
nat on $ext_if from 172.16.5.1 to any -> 172.16.4.11


As you can see here I have set explicit rule for 1 internal ip to be
used and still no difference. This test firewall is already behind an
existing implementation of openbsd using PF which I know works.


So what looks like is happening is that NAT is not correctly working as
per the tcpdump (fxp0 is my external interface to the ubernet):-

===[root] /usr/local/etc # tcpdump -i fxp0 host 172.16.5.1           
tcpdump: listening on fxp0
22:31:58.614125 172.16.5.1.3743 > ns.cableinet.net.domain:  7+[|domain]
22:32:00.606079 172.16.5.1.3744 > ns.cableinet.net.domain:  8+ A?
www.hotmail.com. (33)

why is 172.16.5.1 requesting on the external interface domain requests
when it should be 172.16.4.11?

Nat looks like to be borked with regards to my implementation. Perhaps I
have done something wrong?

Comments please! I could really do with some help here...


Regards


Ziad






-----Original Message-----
From: pf4freebsd-bounce@freelists.org
[mailto:pf4freebsd-bounce@freelists.org] On Behalf Of Max Laier
Sent: 03 June 2003 11:46
To: pf4freebsd@freelists.org
Subject: [pf4freebsd] Version 1.52

Hello,

just uploaded version 1.52
(http://pf4freebsd.love2party.net/pf_freebsd_1.52.tar.gz)
Pyun found some missing initialisations for new structures and fixed a
long standing problem with the "WITH_RANDOM_ID=yes" option (which now
has
an effect again).
Please update to the new version.

I didn't receive any feedback (neither good nor bad) about the new
version. Is someone actually running it on her/his box? I have it on my
gateway and didn't see anything bad yet, but I am really curious about
your experience. So, if you gave it a try, please let me know.

Thanks
	Max