pf + NAT + log

Kevin Wilcox kevin.wilcox at gmail.com
Tue Oct 19 14:27:19 UTC 2010 

Hi everyone. I sent this out to freebsd-questions@ yesterday but
haven't had any nibbles.

I'm testing NAT on FreeBSD 8.1. My setup is very simple:

My workstation -> { internal network switch } -> FreeBSD 8.1routing
firewall with squid 3 -> { switch going to Internet }

My pf configuration is a bare minimum for passing everything and
logging at every stage I can think of. I'll start filtering after I
get this sorted out.

pf.conf:

=======================

ext_if=bge0
int_if=bge1

rdr pass log(all) on $int_if proto tcp from any to any port 80 ->
127.0.0.1 port 3128

nat pass log(all) on $ext_if from $int_if:network to any -> ($ext_if)

pass log(all) on $int_if
pass log(all) on $ext_if

=======================

If my internal workstation is 10.201.201.1, the external interface on
my FreeBSD machine is 10.100.100.1 and I ssh to a server at 10.1.1.1,
the connection works. On the server I get a connection on port 22 from
the FreeBSD router on source port 30000. This is confirmed by netstat
and tcpdump on the server.

On the workstation, tcpdump and netstat confirm a connection from the
workstation to the server; destination port is 22, source port is
10000.

On the FreeBSD router, 'pfctl -s s' confirms:

all tcp 10.201.201.1:10000 -> 10.100.100.1:30000 -> 10.1.1.1:22
ESTABLISHED:ESTABLISHED

Here is where my problem sits. If I do a tcpdump of the pflog, I get
an entry from my workstation to the server showing communication from
port 10000 to port 22. I get an entry from the FreeBSD router to the
server, from port 30000 to port 22. What I don't get, and what I
desperately need, is a way to show that the connection from the
FreeBSD router to the server is on behalf of my workstation.

Have I missed something in the NAT configuration that logs the actual
translations? Can you configure pf to log similar to the output of
pfctl where it shows something like:

<time> <protocol stuff> 10.201.201.1.10000 > 10.100.100.1.30000 >
10.1.1.1.22 <TCP stuff>

Basically, I need to log all of the translations such that if I have
five internal machines all ssh to one server around the same time, and
the server admin comes back and says, "one of your users tried to
login as root from port 12345", I can go back and look at the pflog
and say, "oh, that connection was a NAT translation from
<workstation>".

Thanks!

kmw

More information about the freebsd-pf mailing list