using pf to NAT with only one NIC

Maurice mauduro at
Fri Feb 5 23:19:25 UTC 2010


I have been looking for a couple days now, with no luck, for some direction
as to whether I can successfully configure my freebsd to NAT with only one
NIC.  This is because I am setting up my system to jail my webserver, and I
don't think I can get it to work without NATting it. If you have an
alternate solution that would be great too. This is what my pf.conf looks
like right now:

#       $FreeBSD: src/share/examples/pf/pf.conf,v 2009/04/15
03:14:26 kensmith Exp $
#       $OpenBSD: pf.conf,v 1.34 2007/02/24 19:30:59 millert Exp $
# See pf.conf(5) and /usr/share/examples/pf for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.

block in all
block out all

all_if="{fxp0, lo0}"

#Internal network subnet

#name and IP of webserver

#table <spamd-white> persist

set skip on lo

scrub in

#nat-anchor "ftp-proxy/*"
#rdr-anchor "ftp-proxy/*"
#nat on $ext_if from !($ext_if) -> ($ext_if:0)
#rdr pass on $int_if proto tcp to port ftp -> port 8021
#no rdr on $ext_if proto tcp from <spamd-white> to any port smtp
#rdr pass on $ext_if proto tcp from any to any port smtp \
#       -> port spamd

#anchor "ftp-proxy/*"
#pass out

#pass quick on $int_if no state
#antispoof quick for { lo $int_if }
block in quick from urpf-failed

pass in on $ext_if proto tcp to ($ext_if) port ssh synproxy state
rdr on $all_if proto tcp from any to fxp0 port 80 -> $APACHE port 80
nat on $ext_if from $APACHE to any -> fxp0

#pass in log on $ext_if proto tcp to ($ext_if) port smtp
#pass out log on $ext_if proto tcp from ($ext_if) to port smtp

That doesn't seem to be doing the trick, since I can't ping and DNS won't
resolve anything from within the jail (APACHE). I am going off some examples
I found that would seem to suggest it is possible with only one NIC, but I
can't seem to get it to work. Any help/advice would be greatly appreciated.



More information about the freebsd-pf mailing list