Date: Sat, 13 Feb 2010 10:05:22 -0800 From: Alex Teslik <whereisalext@gmail.com> To: freebsd-pf@freebsd.org Subject: pf: nat works, ip blocking and logging do not Message-ID: <d24a9c161002131005h50d6dc7ie129f9b74eae55c@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
I setup pf with nat on my Freebsd 7 system:
[gouda:root]/root# pfctl -sa -vvvv
No ALTQ support in kernel
ALTQ related functions disabled
TRANSLATION RULES:
@0 nat on em0 inet from 192.168.4.0/24 to any -> (em0) round-robin
[ Evaluations: 29986 Packets: 67086 Bytes: 54746182 States:
21 ]
[ Inserted: uid 0 pid 66358 ]
FILTER RULES:
@0 scrub in all fragment reassemble
[ Evaluations: 1030123 Packets: 539441 Bytes: 76737270 States:
0 ]
[ Inserted: uid 0 pid 66358 ]
@0 block drop in log (all) quick on em0 inet from 11.11.11.111 to any
[ Evaluations: 75127 Packets: 0 Bytes: 0 States:
0 ]
[ Inserted: uid 0 pid 66358 ]
@1 block drop in log (all) quick on em0 inet from 22.22.22.222 to any
[ Evaluations: 32476 Packets: 0 Bytes: 0 States:
0 ]
[ Inserted: uid 0 pid 66358 ]
@2 block drop out log (all) quick on em0 inet from 11.11.11.111 to any
[ Evaluations: 56044 Packets: 0 Bytes: 0 States:
0 ]
[ Inserted: uid 0 pid 66358 ]
@3 block drop out log (all) quick on em0 inet from 22.22.22.222 to any
[ Evaluations: 23568 Packets: 0 Bytes: 0 States:
0 ]
[ Inserted: uid 0 pid 66358 ]
@4 pass in all flags S/SA keep state
[ Evaluations: 75130 Packets: 311544 Bytes: 126402695 States:
62 ]
[ Inserted: uid 0 pid 66358 ]
@5 pass out all flags S/SA keep state
[ Evaluations: 75130 Packets: 239954 Bytes: 97798568 States:
55 ]
[ Inserted: uid 0 pid 66358 ]
nat works great.
Unfortunately, I can still go to 11.11.11.111 or 22.22.22.222 with no
blocking and no logging on /var/log/pflog.
When I tcpdump listen to pflog0 there are no entries when I go to those ips.
What am I doing wrong here that is preventing logging and blocking from
working?
[gouda:root]/root# tcpdump -vvveni pflog0
tcpdump: WARNING: pflog0: no IPv4 address assigned
tcpdump: listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture
size 96 bytes
[gouda:root]/root# cat /etc/pf.conf
ext_if="em0"
int_if="sk0"
set skip on lo0
scrub in
nat on $ext_if from $int_if:network to any -> ($ext_if)
block drop in log (all) quick on $ext_if from { 11.11.11.111, 22.22.22.222 }
to any
block drop out log (all) quick on $ext_if from { 11.11.11.111, 22.22.22.222
} to any
pass in all
pass out all
Thank you for your thoughts.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?d24a9c161002131005h50d6dc7ie129f9b74eae55c>