[pf4freebsd] Re: nat dynamic ip interface

Pyun YongHyeon yongari at kt-is.co.kr
Wed Sep 15 21:02:48 PDT 2004 

On Tue, Mar 16, 2004 at 10:57:34AM +0200, Amir S. wrote:
 > I'm using FreeBSD 5.2-CURRENT #0: Tue Mar  9 13:05:04 IST 2004.
 > I have switched to test pf for my nat and firewall,
 > but I'm having problems with natting my private network to internet.
 > 
 > I have the following interfaces handled by pf:
 > 	fxp0 - local network
 > 	fxp1 - adsl modem, I connect to it over pppoe using freebsd `ppp`.
 > 	tun0 - internet interface
 > 
 > I'm using this rule to do natting:
 > 	nat on $ext_if from $int_if:network to any -> ($ext_if)
 > 
 > the problems begins after while my machine is running, 
 > my internet connection dies and reconnects, 
 > and my interface recevies a new ip.
 > 
 > after this point, all my private network cant connect to the internet
 > until I do: `pfctl -f /etc/pf.conf`
 > to reload the settings and then it works again.
 > 
Hmm... In FreeBSD pf port, we needed an extra compilation flag
(-DHOOK_HACK) to detect interface address changes. After Max's import,
it seems that there is no such compilation flags in Makefile.
Because Max already patched kernel to support dynamic IP address
detection, pf should not need the -DHOOK_HACK flags anymore. However,
at present, the support code in pf source does not enabled by default.
Maybe Max already know this and he will fix it in near future.

If you want to experiment the feature, you can add the additional flags
in your /usr/src/sys/modules/pf/Makefile.

CFLAGS+=  -Wall -I${.CURDIR}/../../contrib/pf -DHOOK_HACK

Build pf module and reload the pf module again.
When xDSL connection is reestablished, you should not encounter any
connection drop and don't need to reissue pfctl to reload rule sets.

 > this is what `pfctl -s nat` says:
 > # pfctl -s nat
 > nat on tun0 inet from 10.10.10.0/24 to any -> (tun0)
 > rdr on fxp0 inet proto tcp from any to any port = ftp -> 127.0.0.1 port 8021
 > #
 > 
 > 
 > I dont know if this might cause this, but I still have ipfw and ipfilter
 > compiled in kernel but I dont use them at the moment.
 > 
I would like to say remove unnecessary filtering softwares.
Of course, if you don't use these programs, it does not cause any
problems against pf.

 > 
 > I have attached below my whole pf.conf file:
 > 
 > #	$FreeBSD: src/etc/pf.conf,v 1.1 2004/03/08 22:03:27 mlaier Exp $
 > #	$OpenBSD: pf.conf,v 1.21 2003/09/02 20:38:44 david Exp $
 > #
 > 
 > int_if  = "fxp0"
 > adsl_if = "fxp1"
 > ext_if  = "tun0"
 > 
 > tcp_services = "{ 21, 22, 25, 80, 113, 143 }"
 > icmp_types = "echoreq"
 > 
 > priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
 > 
 > set timeout { interval 10, frag 30 }
 > set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
 > set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
 > set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
 > set timeout { icmp.first 20, icmp.error 10 }
 > set timeout { other.first 60, other.single 30, other.multiple 60 }
 > set timeout { adaptive.start 0, adaptive.end 0 }
 > set limit { states 10000, frags 5000 }
 > set block-policy drop
 > set loginterface $ext_if
 > set fingerprints "/etc/pf.os"
 > 
 > scrub in all
 > 
 > nat on $ext_if from $int_if:network to any -> ($ext_if)
 > 
 > rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021
 > 
 > block all
 > 
 > pass quick on lo0 all
 > 
 > block drop in  quick on $ext_if from $priv_nets to any
 > block drop out quick on $ext_if from any to $priv_nets
 > 
 > pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services flags S/SA keep state
 > 
 > pass in inet proto icmp all icmp-type $icmp_types keep state
 > 
 > pass in on $int_if from $int_if:network to any keep state
 > pass out on $int_if from any to $int_if:network keep state
 > 
 > pass in on $ext_if inet proto tcp from any to ($ext_if) user proxy keep state
 > 
 > pass out on $ext_if proto tcp all modulate state flags S/SA
 > pass out on $ext_if proto { udp, icmp } all keep state
 > 
 > pass out on $adsl_if proto tcp all modulate state flags S/SA group wheel
 > pass out on $adsl_if proto { udp, icmp } all keep state group wheel
 > 
 > #########################################################################
 > 
 > thanks,
 > 
 > -- 
 > 	Amir.
 > 
 > 
 > -- Attached file included as plaintext by Ecartis --
 > 
 > -----BEGIN PGP SIGNATURE-----
 > Version: GnuPG v1.2.4 (FreeBSD)
 > 
 > iD8DBQFAVsF+6GJjqfuvOIgRAg6dAJ4lxAOt25/+8neiNRAJh7Z0G01AVQCeMTvk
 > wb5smSN8xt4LJFBc2YjfWQU=
 > =qvVH
 > -----END PGP SIGNATURE-----
 > 
 > 
 > 

Regards,
Pyun YongHyeon
-- 
Pyun YongHyeon <http://www.kr.freebsd.org/~yongari>

More information about the freebsd-pf mailing list