I just installed pf on a new server w/current and nat doesn't
seem to work.
eculp at bafirst.com
eculp at bafirst.com
Sat Jul 23 11:07:32 GMT 2005
Problem fixed. Thanks
ed
Quoting eculp at bafirst.com:
> My major problem is that I am over 2500 miles from the server and in
> another country. I have configured a current box with the idea of
> stoping at 6.0 but that is another issue.
>
> It would seem that pf nat isn't working. The machines on the lan
> pickup there configuration from dhcpd and can ping their gateway
> 192.168.1.1 (em0 on the server) and 65.81.102.2 (em1 on the server)
> but cannot ping 65.81.102.1 the server's gateway. It would seem that
> there are issues with either ip forwarding or pf nat. when I do a
> pfctl -vv -s Interfaces I get all zeros even though I am creating
> traffic on the server. That doesn't seem to be right.
>
> My configurations follow. I would sure appreciate any suggestions
> because I'm afraid that I've missed something. That is usually the
> case with problems like this.
>
> # sysctl net.inet.ip.forwarding
> net.inet.ip.forwarding: 1
>
> /etc/pf.conf:
>
> int_if = "em0"
> ext_if = "em1"
>
> udp_services = "{ 53 }"
> tcp_services = "{ 22, 25, 53, 80, 110, 113, 123, 143, 389, 3128 }"
> icmp_types = "echoreq"
> priv_nets = "{ 0.0.0.0/8, 20.20.20.0/24, 169.254.0.0/16, 127.0.0.0/8,
> 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 224.0.0.0/3 }"
>
> # options
> set block-policy return
> set loginterface $ext_if
>
> # scrub
> scrub in all
>
> # nat/rdr
> nat on $ext_if from $int_if:network to any -> ($ext_if)
> rdr on $int_if inet proto tcp from any to any port www -> 127.0.0.1 port 3128
>
> # filter rules
> block all
> pass quick on lo0 all
> block drop in quick on $ext_if from $priv_nets to any
> block drop out quick on $ext_if from any to $priv_nets
> pass in on $ext_if inet proto udp from any to ($ext_if) port
> $udp_services keep state
> pass in on $ext_if inet proto tcp from any to ($ext_if) port
> $tcp_services flags S/SA keep state
> pass in on $int_if inet proto tcp from any to 127.0.0.1 port 3128 keep state
> pass out on $ext_if inet proto tcp from any to any port www keep state
> pass in inet proto icmp all icmp-type $icmp_types keep state
> pass in on $int_if from $int_if:network to any keep state
> pass out on $int_if from any to $int_if:network keep state
> pass out on $ext_if proto tcp all modulate state flags S/SA
> pass out on $ext_if proto { udp, icmp } all keep state
>
> rc.conf:
> ifconfig_em0="inet 192.168.1.1 netmask 255.255.255.0"
> ifconfig_em1="inet 65.81.102.2 netmask 255.255.255.248"
> defaultrouter="65.81.102.1" gateway_enable="YES" pf_enable="YES"
> pf_rules="/etc/pf.conf"
> pf_program="/sbin/pfctl"
> pf_flags=""
> pflog_enable="YES"
> pflog_logfile="/var/log/pflog"
> pflog_program="/sbin/pflogd"
> pflog_flags=""
>
>
> # PF Kernel Config
>
> device pf
> device pflog
> device pfsync
> options ALTQ
> options ALTQ_CBQ
> options ALTQ_RED
> options ALTQ_RIO
> options ALTQ_HFSC
> options ALTQ_CDNR
> options ALTQ_PRIQ
>
> Where else could it be? I have several other machines that have very
> similar configurations and with no problems, of course they are all
> within a 2 hour drive ;)
>
> Thanks for any help or suggestions.
>
> ed
>
> _______________________________________________
> freebsd-current at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-current
> To unsubscribe, send any mail to "freebsd-current-unsubscribe at freebsd.org"
>
More information about the freebsd-current
mailing list