[pf4freebsd] Re: Version 1.52
ziad.afra at refraction.co.uk
Wed Sep 15 20:39:28 PDT 2004
I still cant get NAT to work correctly on my setup. Its quite
frustrating I must say..
My configuration is as follows:-
FreeBSD XXX.XXX.XXX 5.0-RELEASE FreeBSD 5.0-RELEASE #6: Wed May 14
00:30:11 BST 2003 root at XXX.XXX.XXX:/usr/obj/usr/src/sys/FREE i386
===[root] ~ # sysctl -a|grep -i forw
===[root] /boot/kernel # pwd
-r-xr-xr-x 1 root wheel 124916 May 14 01:46 pf.ko
-r-xr-xr-x 1 root wheel 6844 May 14 01:46 pflog.ko
-r-xr-xr-x 1 root wheel 8442 May 14 01:46 pfsync.ko
===[root] /boot/kernel # pfctl -sa
scrub in all fragment reassemble
pass quick on lo0 all
nat on fxp0 inet from 172.16.4.1 to any -> 172.16.4.11
pfctl: DIOCGETALTQS: Operation not supported by device
Status: Enabled for 1 days 20:58:49 Debug: None
State Table Total Rate
current entries 0
searches 0 0.0/s
inserts 0 0.0/s
removals 0 0.0/s
match 0 0.0/s
bad-offset 0 0.0/s
fragment 0 0.0/s
short 0 0.0/s
normalize 0 0.0/s
memory 0 0.0/s
states hard limit 10000
frags hard limit 5000
===[root] /usr/local/etc # cat pf.conf
ext_if = "fxp0"
int_if = "fxp1"
int_lan = "172.16.5.255"
scrub in all
nat on $ext_if from 172.16.5.1 to any -> 172.16.4.11
As you can see here I have set explicit rule for 1 internal ip to be
used and still no difference. This test firewall is already behind an
existing implementation of openbsd using PF which I know works.
So what looks like is happening is that NAT is not correctly working as
per the tcpdump (fxp0 is my external interface to the ubernet):-
===[root] /usr/local/etc # tcpdump -i fxp0 host 172.16.5.1
tcpdump: listening on fxp0
22:31:58.614125 172.16.5.1.3743 > ns.cableinet.net.domain: 7+[|domain]
22:32:00.606079 172.16.5.1.3744 > ns.cableinet.net.domain: 8+ A?
why is 172.16.5.1 requesting on the external interface domain requests
when it should be 172.16.4.11?
Nat looks like to be borked with regards to my implementation. Perhaps I
have done something wrong?
Comments please! I could really do with some help here...
From: pf4freebsd-bounce at freelists.org
[mailto:pf4freebsd-bounce at freelists.org] On Behalf Of Max Laier
Sent: 03 June 2003 11:46
To: pf4freebsd at freelists.org
Subject: [pf4freebsd] Version 1.52
just uploaded version 1.52
Pyun found some missing initialisations for new structures and fixed a
long standing problem with the "WITH_RANDOM_ID=yes" option (which now
an effect again).
Please update to the new version.
I didn't receive any feedback (neither good nor bad) about the new
version. Is someone actually running it on her/his box? I have it on my
gateway and didn't see anything bad yet, but I am really curious about
your experience. So, if you gave it a try, please let me know.
More information about the freebsd-pf