Date: Wed, 26 Jul 2006 11:31:57 -0700 From: "Jon Simola" <jsimola@gmail.com> To: "Jeffrey Williams" <jeff@sailorfej.net> Cc: freebsd-pf@freebsd.org Subject: Re: SV: nat/outbound traffic not passing in pf on FreeBSD 6.1 Message-ID: <8eea04080607261131g6afe0f4dp9c0ea30f78fc3079@mail.gmail.com> In-Reply-To: <44C7AA7F.7060904@sailorfej.net> References: <013101c6b0ba$371645d0$152ea8c0@phobos> <44C7AA7F.7060904@sailorfej.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On 7/26/06, Jeffrey Williams <jeff@sailorfej.net> wrote: > I am not running anything that is trying to use the loopback interface > on this box. Blocking traffic on the loopback will cause many odd problems. Always use set skip on lo > The following rule passes traffic in on the internal interface, "pass in > on $iif inet from $inwr to any keep state", and there is no rule > blocking traffic out on the internal interface. The problem here is that the NAT translation of the packet takes place before pass and block rules are processed. NAT'ed packets appear to be incoming on the internal interface with an IP address of the external interface. So you can pass all traffic on the internal interface, or get a little fancier and use tags with NAT: nat on $ext_if from $int_if:network to !$int_if:network tag NAT -> ($ext_if:0) pass all tagged NAT keep state Or for the minimal ruleset: nat pass on $ext_if from $int_if:network to !$int_if:network -> ($ext_if:0) -- Jon
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?8eea04080607261131g6afe0f4dp9c0ea30f78fc3079>