nat and filtering rules

Алексей alexiy at mail.kar.net
Thu Mar 26 06:23:29 PDT 2009 

Hi,

I'm running FreeBSD 7.1-RC1 and Packet Filter as the firewall.

I have the following setup:
A LAN using private address range behind the gateway that is doing NAT.
I want to use PF with ALTQ on the gateway to limit bandwidth by IP 
addresses for the computers in the LAN.

Here are the relevant parts of the configuration file file:

##############################
#Translation                                      #
##############################

nat on $ext_if from $internal_net to any -> ($ext_if)


##############################
#Queueing                    #
##############################

#Download ...
altq on $int_if cbq bandwidth 10Mb queue { me_d, comp_d, mach_d,  dd}
queue comp_d bandwidth 2Mb cbq
queue me_d bandwidth 5Mb cbq(borrow)
queue mach_d bandwidth 2Mb cbq
queue dd bandwidth 1Mb cbq(default borrow)

#Upload...
altq on $ext_if cbq  bandwidth 10Mb queue { me_u, comp_u, mach_u,  du}
queue comp_u bandwidth 2Mb cbq
queue me_u bandwidth 5Mb cbq(borrow)
queue mach_u bandwidth 2Mb cbq
queue du bandwidth 1Mb cbq(default borrow)


##############################
#Filtering                                           #
##############################

# setup a default deny policy
block all

#Here $me, $comp and $mach are IPs from the LAN

#upload
#me
pass in on $int_if from $me to any queue me_u
#comp
pass in on $int_if from $comp to any queue comp_u
#mach
pass in on $int_if from $mach to any queue mach_u


#download
#me
pass out log on $int_if  from any to $me queue me_d
#comp
pass out on $int_if from any to  $comp  queue comp_d
#mach
pass out on $int_if from any to $mach queue mach_d


Right now all the traffic coming from the Internet to the LAN is 
assigned to the default queue "dd".
I may be wrong here, but judging from the blank output of the log, the rule

pass out log on $int_if  from any to $me queue me_d

is not catching anything.  Even if this rule is commented out I am still 
able to access the Internet from this host in the LAN.
I assume that it is the implicit keep state in this rule:

pass in on $int_if from $me to any queue me_u

that takes care of both the packets originating from the LAN and 
returning there.
Is it really so, or did I misunderstand something?
How is it possible to assign the traffic coming from the Internet to the 
LAN through the NAT to the correct queues?


-- 
Regards,
Alex

More information about the freebsd-pf mailing list