[pf4freebsd] nat dynamic ip interface

Amir S. amir at boom.org.il
Wed Sep 15 21:02:38 PDT 2004 

I'm using FreeBSD 5.2-CURRENT #0: Tue Mar  9 13:05:04 IST 2004.
I have switched to test pf for my nat and firewall,
but I'm having problems with natting my private network to internet.

I have the following interfaces handled by pf:
	fxp0 - local network
	fxp1 - adsl modem, I connect to it over pppoe using freebsd `ppp`.
	tun0 - internet interface

I'm using this rule to do natting:
	nat on $ext_if from $int_if:network to any -> ($ext_if)

the problems begins after while my machine is running,=20
my internet connection dies and reconnects,=20
and my interface recevies a new ip.

after this point, all my private network cant connect to the internet
until I do: `pfctl -f /etc/pf.conf`
to reload the settings and then it works again.

this is what `pfctl -s nat` says:
# pfctl -s nat
nat on tun0 inet from 10.10.10.0/24 to any -> (tun0)
rdr on fxp0 inet proto tcp from any to any port =3D ftp -> 127.0.0.1 port=
 8021
#


I dont know if this might cause this, but I still have ipfw and ipfilter
compiled in kernel but I dont use them at the moment.


I have attached below my whole pf.conf file:

#	$FreeBSD: src/etc/pf.conf,v 1.1 2004/03/08 22:03:27 mlaier Exp $
#	$OpenBSD: pf.conf,v 1.21 2003/09/02 20:38:44 david Exp $
#

int_if  =3D "fxp0"
adsl_if =3D "fxp1"
ext_if  =3D "tun0"

tcp_services =3D "{ 21, 22, 25, 80, 113, 143 }"
icmp_types =3D "echoreq"

priv_nets =3D "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }=
"

set timeout { interval 10, frag 30 }
set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
set timeout { icmp.first 20, icmp.error 10 }
set timeout { other.first 60, other.single 30, other.multiple 60 }
set timeout { adaptive.start 0, adaptive.end 0 }
set limit { states 10000, frags 5000 }
set block-policy drop
set loginterface $ext_if
set fingerprints "/etc/pf.os"

scrub in all

nat on $ext_if from $int_if:network to any -> ($ext_if)

rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021

block all

pass quick on lo0 all

block drop in  quick on $ext_if from $priv_nets to any
block drop out quick on $ext_if from any to $priv_nets

pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_service=
s flags S/SA keep state

pass in inet proto icmp all icmp-type $icmp_types keep state

pass in on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state

pass in on $ext_if inet proto tcp from any to ($ext_if) user proxy keep s=
tate

pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state

pass out on $adsl_if proto tcp all modulate state flags S/SA group wheel
pass out on $adsl_if proto { udp, icmp } all keep state group wheel

#########################################################################

thanks,

--=20
	Amir.


-- Attached file included as plaintext by Ecartis --

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (FreeBSD)

iD8DBQFAVsF+6GJjqfuvOIgRAg6dAJ4lxAOt25/+8neiNRAJh7Z0G01AVQCeMTvk
wb5smSN8xt4LJFBc2YjfWQU=3D
=3DqvVH
-----END PGP SIGNATURE-----

More information about the freebsd-pf mailing list