PF and NAT on FreeBSD 5.3

Kosta Kilim kopno at sdf.lonestar.org
Wed Jan 19 08:06:55 PST 2005 

Hello,

I'm trying to setup a PF with NAT for my home network.

PF is compiled into the kernel(FreeBSD 5.3, fresh cvsup) and working,
I can do pfctl -e|-d|-s just fine. And pflog0 is seen in the
ifconfig's output.

My IP range is: class C /29

I have a ADSL router which works in bridged mode. So I connect to the
ISP, get an static address for the router, then I assign one to the
machine I'd like to act as a firewall from the /29 range.

So router takes one and the machine take one address from class
C/29. The other address can be ignored. I don't want to use them.

For the rest of the machines on the network I'd like them to go
through this machine, which I'd like it to do NAT using PF.

The machine has the IP from the class C /29 range, and 192.168.0.0/27
on the other NIC.

So what I'd like to know, is how do I write the rules to perfom
this. I thought that just taking the rules from the first example of
the PF tutorial would do, I changed them slightly to suit my
scenario. But still I can only go to the net with the one machine on
the class C /29 subnet.

Any hints would be gladly received. Thank you for your time.



# macros, these are renamed to my NIC names
int_if = "fxp0"
ext_if = "ep0"

tcp_services = "{ 22 }"
icmp_types = "echoreq"

priv_nets = "{ 127.0.0.0/8, 192.168.0.0/27 }"
        
# options
set block-policy return
set loginterface $ext_if

# scrub
scrub in all

# nat
nat on $ext_if from $int_if:network to any -> ($ext_if)


# filter rules
block all

pass quick on lo0 all

block drop in  quick on $ext_if from $priv_nets to any
block drop out quick on $ext_if from any to $priv_nets

pass in on $ext_if inet proto tcp from any to ($ext_if) \
   port $tcp_services flags S/SA keep state

pass in inet proto icmp all icmp-type $icmp_types keep state

pass in  on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state

pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state


-- 
kopno at sdf.lonestar.org
SDF Public Access UNIX System - http://sdf.lonestar.org

More information about the freebsd-questions mailing list