[pf4freebsd] Re: PF on FREEBSD 5

Pyun YongHyeon yongari at kt-is.co.kr
Wed Sep 15 20:39:03 PDT 2004 

On Mon, May 19, 2003 at 12:21:39AM +0100, Ziad Afra wrote:
 > Hello
 > 
 > My experiences are thus
 > 
 > NAT does not work at all on my configuration.
 > 
 > 
 > My rules are set as follows: - 
 > 
 > # macros
 > ext_if = "fxp0"
 > int_if = "fxp1"
 > int_lan = "172.16.4.0/24"
 > icmp_types = "{ 8, 11 }"
 > 
 > # options
 > set block-policy return
 > set loginterface $ext_if
 > 
 > # scrub
 > scrub in all
 > 
 > # nat/rdr
 > nat on $ext_if from $int_lan to any -> ($ext_if)
 > 
 > # filter rules
 > block all
 > 
 > pass quick on lo0 all
 > 
 > block drop in  quick on $ext_if from any to any
   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 > block drop out quick on $ext_if from any to any
   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
You have completely blocked all packets from this host.
Rememer the last matching rule wins!(This is not ipfw.)
You should remove quick keyword to continue process remaining
rules.

 > 
 > pass in on $ext_if inet proto tcp from any to ($ext_if) \
 >    port {22, 80, 53, 113}  flags S/SAFR keep state
 > 
 > pass in inet proto icmp all icmp-type $icmp_types keep state
 > 
 > pass in  on $ext_if from any to $int_if keep state
 > pass out on $int_if from any to $int_if keep state
 > pass out on $ext_if from $int_if keep state
 > 
Here you may have confused with ipfw style again.
Do not keep state on internal network interface if you don't
really have to do. This makes rules much harder to maintain.
For normal cases for NAT just pass all packets for internal interface.
If you need filtering do it on external interface.
So above three rules comes to this:
pass in quick on $int_if all
pass out quick on $int_if all

 > pass out on $ext_if proto tcp all modulate state flags S/SAFR
 > pass out on $ext_if proto { udp, icmp } all keep state
 > 
 > 
 > 
 > When attempting to call out for dns or other external services from my
 > internal LAN, my internal ip is used for the request i.e.
 > 
 > Internally 172.16.4.5 calls for nslookup, this address is used on the
 > external interface to the requested dns server for the call. Simply put
 > NAT does not seem to be working for my current configuration.
 > 
 > Regards and hope you can help
 > 
 > Ziad
 > 
 > 

For more detailed information on PF's syntax and configuration,
please refer to OpenBSD's excellent FAQ.
http://www.openbsd.org/faq/pf/index.html

You can find more examples of pf.conf at this URL.
https://solarflux.org/pf/

Also there is a mailing list for PF on FreeBSD.
You may get more help for FreeBSD specific problems from that list.
See http://pf4freebsd.love2party.net/mlist.html

For general PF FAQ see http://www.benzedrine.cx/mailinglist.html.

Thanks and Good luck.

Pyun YongHyeon
--

More information about the freebsd-pf mailing list