From owner-freebsd-current@FreeBSD.ORG  Fri Jul 22 23:06:22 2005
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
X-Original-To: current@freebsd.org
Delivered-To: freebsd-current@FreeBSD.ORG
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 76D2E16A420
	for <current@freebsd.org>; Fri, 22 Jul 2005 23:06:22 +0000 (GMT)
	(envelope-from eculp@bafirst.com)
Received: from bafirst.com (72-12-2-214.wan.networktel.net [72.12.2.214])
	by mx1.FreeBSD.org (Postfix) with ESMTP id DB71E43D45
	for <current@freebsd.org>; Fri, 22 Jul 2005 23:06:21 +0000 (GMT)
	(envelope-from eculp@bafirst.com)
Received: from localhost (localhost [127.0.0.1]) (uid 80)
	by bafirst.com with local; Fri, 22 Jul 2005 18:06:21 -0500
	id 00095803.42E17BED.0000A825
Received: from dsl-201-144-87-77.prod-infinitum.com.mx
	(dsl-201-144-87-77.prod-infinitum.com.mx [201.144.87.77]) by
	mail.bafirst.com (Horde MIME library) with HTTP;
	Fri, 22 Jul 2005 18:06:21 -0500
Message-ID: <20050722180621.qj8w6e47i8gkwk88@mail.bafirst.com>
Date: Fri, 22 Jul 2005 18:06:21 -0500
From: eculp@bafirst.com
To: current@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain;
	charset=ISO-8859-1;
	format="flowed"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit
User-Agent: Internet Messaging Program (IMP) 4.1-cvs
Cc: 
Subject: I just installed pf on a new server w/current and nat doesn't seem
	to work.
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
	<freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>, 
	<mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Jul 2005 23:06:22 -0000

My major problem is that I am over 2500 miles from the server and in 
another country.  I have configured a current box with the idea of 
stoping at 6.0 but that is another issue.

It would seem that pf nat isn't working.  The machines on the lan 
pickup there configuration from dhcpd and can ping their gateway 
192.168.1.1 (em0 on the server) and 65.81.102.2 (em1 on the server) but 
cannot ping 65.81.102.1 the server's gateway.  It would seem that there 
are issues with either ip forwarding or pf nat.  when I do a pfctl -vv 
-s Interfaces I get all zeros even though I am creating traffic on the 
server.  That doesn't seem to be right.

My configurations follow.  I would sure appreciate any suggestions 
because I'm afraid that I've missed something.  That is usually the 
case with problems like this.

# sysctl net.inet.ip.forwarding
net.inet.ip.forwarding: 1

/etc/pf.conf:

int_if = "em0"
ext_if = "em1"

udp_services = "{ 53 }"
tcp_services = "{ 22, 25, 53, 80, 110, 113, 123, 143, 389, 3128 }"
icmp_types = "echoreq"
priv_nets = "{ 0.0.0.0/8, 20.20.20.0/24, 169.254.0.0/16, 127.0.0.0/8, 
192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 224.0.0.0/3 }"

# options
set block-policy return
set loginterface $ext_if

# scrub
scrub in all

# nat/rdr
nat on $ext_if from $int_if:network to any -> ($ext_if)
rdr on $int_if inet proto tcp from any to any port www -> 127.0.0.1 port 3128

# filter rules
block all
pass quick on lo0 all
block drop in  quick on $ext_if from $priv_nets to any
block drop out quick on $ext_if from any to $priv_nets
pass in on $ext_if inet proto udp from any to ($ext_if) port 
$udp_services keep state
pass in on $ext_if inet proto tcp from any to ($ext_if) port 
$tcp_services flags S/SA keep state
pass in on $int_if inet proto tcp from any to 127.0.0.1 port 3128 keep state
pass out on $ext_if inet proto tcp from any to any port www keep state
pass in inet proto icmp all icmp-type $icmp_types keep state
pass in  on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state

rc.conf:
  ifconfig_em0="inet 192.168.1.1  netmask 255.255.255.0"   
ifconfig_em1="inet 65.81.102.2  netmask 255.255.255.248"   
defaultrouter="65.81.102.1"   gateway_enable="YES"    pf_enable="YES"
  pf_rules="/etc/pf.conf"
  pf_program="/sbin/pfctl"
  pf_flags=""
  pflog_enable="YES"
  pflog_logfile="/var/log/pflog"
  pflog_program="/sbin/pflogd"
  pflog_flags=""


# PF Kernel Config

device pf
device pflog
device pfsync
options ALTQ
options ALTQ_CBQ
options ALTQ_RED
options ALTQ_RIO
options ALTQ_HFSC
options ALTQ_CDNR
options ALTQ_PRIQ

Where else could it be?  I have several other machines that have very 
similar configurations and with no problems, of course they are all 
within a 2 hour drive ;)

Thanks for any help or suggestions.

ed