pf: nat works, ip blocking and logging do not
Morgan Wesström
freebsd-pf at pp.dyndns.biz
Sat Feb 13 20:56:58 UTC 2010
> nat works great.
>
> Unfortunately, I can still go to 11.11.11.111 or 22.22.22.222 with no
> blocking and no logging on /var/log/pflog.
>
> When I tcpdump listen to pflog0 there are no entries when I go to those ips.
> What am I doing wrong here that is preventing logging and blocking from
> working?
>
> [gouda:root]/root# tcpdump -vvveni pflog0
> tcpdump: WARNING: pflog0: no IPv4 address assigned
> tcpdump: listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture
> size 96 bytes
>
> [gouda:root]/root# cat /etc/pf.conf
> ext_if="em0"
> int_if="sk0"
> set skip on lo0
> scrub in
> nat on $ext_if from $int_if:network to any -> ($ext_if)
> block drop in log (all) quick on $ext_if from { 11.11.11.111, 22.22.22.222 }
> to any
> block drop out log (all) quick on $ext_if from { 11.11.11.111, 22.22.22.222
> } to any
> pass in all
> pass out all
>
You have to reverse the order of the source and destination in your
outgoing rule. It should be:
block drop out log (all) quick on $ext_if from any to { 11.11.11.111,
22.22.22.222 }
/Morgan
More information about the freebsd-pf
mailing list