Couple minor sniglets with pf...

Jaye Mathisen mrcpu at mathisen.org
Wed Jun 14 06:11:51 UTC 2006



I have a soekris, running a fairly release of 6.x with PF support.

Until now, it had been purely used for binat, which worked just fine, but
didn't use any other features.

Finally decided to rid of my other gear, and just "drop down" to the basics,
so wanted to start using PF for NAT.


And it works fine, except for one problem I'm having, which I think is
related to binat and nat.


There are 3 interfaces.  sis0, which is my private network.  sis1 which
connects to the internet, and sis2 which connects to a separate "privatish"
network, that is where the end hosts for the binat stuff reside.


So, my home PC, on sis0, goes through NAT out to the world, that all
works fine, with 2 exceptions.  (which I'll get to in a moment.).


The problem is if I need to get from a device on my home network, 192.168.0.x
 to a server that is one of th ebinat'd ones, that get xlat'd from public
IP's to 192.168.2.x...

If I connect to the 192.168.2.x IP directly, it works fine, so it's not
route problems, I think just something wiht the combination of NAT and binat
is not working.

The 2nd issue is that I cannot get any AIM clients to login.  The worked fine
before pf, and now they don't.  They get partway through the login process,
and then always error out with "A connect error occured".

Just to make sure I'm not smoking dope, I replaced the soekris with 
my old linksys router I was using, and it works fine, logins in instantly.

I have not tested regular natd to see.

The symptoms of the public IP connection issue is that for example, 
if I login to 70.68.179.172 which is binat'd to 192.168.2.100 via ssh,
I *get* a login prompt and password.  But when I enter it, I'm logged in to
the soekris router, *not* the .100 box.

I include my minimal pf config cobbled from an example...:

rtr# cat /etc/pf.conf.local | grep -v '^#' | cat -s

ext_if="sis1"   # replace with actual external interface name i.e., dc0
int_if="sis0"   # replace with actual internal interface name i.e., dc1
tcp_services = "{ 22, 113 }"
icmp_types = "echoreq"

priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
        
set loginterface $int_if

scrub in all

nat on $ext_if from $int_if:network to any -> ($ext_if)

binat on sis1 from 192.168.2.100 to any -> 70.58.179.172
binat on sis1 from 192.168.2.103 to any -> 70.58.179.171
binat on sis1 from 192.168.2.104 to any -> 70.58.179.170

pass in all
pass out all

pass quick on lo0 all

block drop in  quick on $ext_if from $priv_nets to any
block drop out quick on $ext_if from any to $priv_nets

pass in on $ext_if inet proto tcp from any to ($ext_if) \
   port $tcp_services flags S/SA keep state

pass in inet proto icmp all icmp-type $icmp_types keep state

pass in  on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state

pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state



Thanks for any help.


More information about the freebsd-pf mailing list