misc/119139: FreeBSD router PF nating internal to external network
not working
Faysal Banna
degreane at gmail.com
Sat Dec 29 11:10:01 PST 2007
>Number: 119139
>Category: misc
>Synopsis: FreeBSD router PF nating internal to external network not working
>Confidential: no
>Severity: serious
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Sat Dec 29 19:10:00 UTC 2007
>Closed-Date:
>Last-Modified:
>Originator: Faysal Banna
>Release: FreeBSD 7 beta4
>Organization:
comnet
>Environment:
FreeBSD FBSD.comnet.net.lb 7.0-BETA4 FreeBSD 7.0-BETA4 #0: Fri Dec 28 16:50:46 EET 2007 root at FBSD.comnet.net.lb:/usr/obj/usr/src/sys/FAYSAL i386
>Description:
Good Day.
I am trying to use FreeBSD as a router/nat box i set up PF (packet filter ) as described in the manual and did all whats necessary to the kernel enabled the pf in /etc/rc.conf .....
after like three hours of struggeling to make the system work as a router/nat box i failed ..
i was able to connect to the box ssh to it from both network cards i have no problem with that .. and i was able to tcpdump both network cards ....
the system is connected to two network cards rl0 and rl1 respectively
In the PF pfctl interface i only to test did this
echo "block quick all " | pfctl -f -
and for my surprise i was always able to connect to the box and it didn't block me out which looks like the pf is not reached or touched .....
here is a list check it out
this should illustrate what i mean
FBSD# ifconfig
rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=8<VLAN_MTU>
ether 00:40:f4:eb:67:33
inet 192.168.151.19 netmask 0xffffff00 broadcast 192.168.151.255
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
rl1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=8<VLAN_MTU>
ether 00:40:f4:eb:5d:dd
inet 172.16.55.1 netmask 0xffffff00 broadcast 172.16.55.255
media: Ethernet autoselect (none)
status: no carrier
plip0: flags=108810<POINTOPOINT,SIMPLEX,MULTICAST,NEEDSGIANT> metric 0 mtu 1500
pfsync0: flags=0<> metric 0 mtu 1460
syncpeer: 224.0.0.240 maxupd: 128
pflog0: flags=141<UP,RUNNING,PROMISC> metric 0 mtu 33204
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6
inet6 ::1 prefixlen 128
inet 127.0.0.1 netmask 0xff000000
FBSD# echo "block quick all " | pfctl -f -
FBSD# pfctl -sa -v
FILTER RULES:
block drop quick all
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 1504 ]
No queue in use
INFO:
Status: Disabled Debug: Urgent
Hostid: 0x2df50bf7
Checksum: 0xf67edfbb4f38672f79691ea6b22dd653
State Table Total Rate
current entries 0
searches 0 0.0/s
inserts 0 0.0/s
removals 0 0.0/s
Source Tracking Table
current entries 0
searches 0 0.0/s
inserts 0 0.0/s
removals 0 0.0/s
Counters
match 0 0.0/s
bad-offset 0 0.0/s
fragment 0 0.0/s
short 0 0.0/s
normalize 0 0.0/s
memory 0 0.0/s
bad-timestamp 0 0.0/s
congestion 0 0.0/s
ip-option 0 0.0/s
proto-cksum 0 0.0/s
state-mismatch 0 0.0/s
state-insert 0 0.0/s
state-limit 0 0.0/s
src-limit 0 0.0/s
synproxy 0 0.0/s
Limit Counters
max states per rule 0 0.0/s
max-src-states 0 0.0/s
max-src-nodes 0 0.0/s
max-src-conn 0 0.0/s
max-src-conn-rate 0 0.0/s
overload table insertion 0 0.0/s
overload flush states 0 0.0/s
TIMEOUTS:
tcp.first 120s
tcp.opening 30s
tcp.established 86400s
tcp.closing 900s
tcp.finwait 45s
tcp.closed 90s
tcp.tsdiff 30s
udp.first 60s
udp.single 30s
udp.multiple 60s
icmp.first 20s
icmp.error 10s
other.first 60s
other.single 30s
other.multiple 60s
frag 30s
interval 10s
adaptive.start 6000 states
adaptive.end 12000 states
src.track 0s
LIMITS:
states hard limit 10000
src-nodes hard limit 10000
frags hard limit 5000
tables hard limit 1000
table-entries hard limit 200000
OS FINGERPRINTS:
696 fingerprints loaded
FBSD# who am i
root ttyp0 Dec 29 22:43 (192.168.151.34)
FBSD#
Regards
Faysal Banna
>How-To-Repeat:
>Fix:
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list