[pf4freebsd] Re: Version 1.52
Ziad Afra
ziad.afra at refraction.co.uk
Wed Sep 15 20:39:28 PDT 2004
All
I still cant get NAT to work correctly on my setup. Its quite
frustrating I must say..
My configuration is as follows:-
FreeBSD XXX.XXX.XXX 5.0-RELEASE FreeBSD 5.0-RELEASE #6: Wed May 14
00:30:11 BST 2003 root at XXX.XXX.XXX:/usr/obj/usr/src/sys/FREE i386
===[root] ~ # sysctl -a|grep -i forw
kern.smp.forward_signal_enabled: 1
kern.smp.forward_roundrobin_enabled: 1
net.inet.ip.forwarding: 1
net.inet.ip.fastforwarding: 1
net.inet6.ip6.forwarding: 0
===[root] /boot/kernel # pwd
/boot/kernel
###
###
###of concern###
-r-xr-xr-x 1 root wheel 124916 May 14 01:46 pf.ko
-r-xr-xr-x 1 root wheel 6844 May 14 01:46 pflog.ko
-r-xr-xr-x 1 root wheel 8442 May 14 01:46 pfsync.ko
===[root] /boot/kernel # pfctl -sa
scrub in all fragment reassemble
pass quick on lo0 all
nat on fxp0 inet from 172.16.4.1 to any -> 172.16.4.11
pfctl: DIOCGETALTQS: Operation not supported by device
Status: Enabled for 1 days 20:58:49 Debug: None
State Table Total Rate
current entries 0
searches 0 0.0/s
inserts 0 0.0/s
removals 0 0.0/s
Counters
match 0 0.0/s
bad-offset 0 0.0/s
fragment 0 0.0/s
short 0 0.0/s
normalize 0 0.0/s
memory 0 0.0/s
tcp.first 120s
tcp.opening 30s
tcp.established 86400s
tcp.closing 900s
tcp.finwait 45s
tcp.closed 90s
udp.first 60s
udp.single 30s
udp.multiple 60s
icmp.first 20s
icmp.error 10s
other.first 60s
other.single 30s
other.multiple 60s
frag 30s
interval 10s
states hard limit 10000
frags hard limit 5000
===[root] /usr/local/etc # cat pf.conf
# macros
ext_if = "fxp0"
int_if = "fxp1"
int_lan = "172.16.5.255"
# scrub
scrub in all
# nat/rdr
nat on $ext_if from 172.16.5.1 to any -> 172.16.4.11
As you can see here I have set explicit rule for 1 internal ip to be
used and still no difference. This test firewall is already behind an
existing implementation of openbsd using PF which I know works.
So what looks like is happening is that NAT is not correctly working as
per the tcpdump (fxp0 is my external interface to the ubernet):-
===[root] /usr/local/etc # tcpdump -i fxp0 host 172.16.5.1
tcpdump: listening on fxp0
22:31:58.614125 172.16.5.1.3743 > ns.cableinet.net.domain: 7+[|domain]
22:32:00.606079 172.16.5.1.3744 > ns.cableinet.net.domain: 8+ A?
www.hotmail.com. (33)
why is 172.16.5.1 requesting on the external interface domain requests
when it should be 172.16.4.11?
Nat looks like to be borked with regards to my implementation. Perhaps I
have done something wrong?
Comments please! I could really do with some help here...
Regards
Ziad
-----Original Message-----
From: pf4freebsd-bounce at freelists.org
[mailto:pf4freebsd-bounce at freelists.org] On Behalf Of Max Laier
Sent: 03 June 2003 11:46
To: pf4freebsd at freelists.org
Subject: [pf4freebsd] Version 1.52
Hello,
just uploaded version 1.52
(http://pf4freebsd.love2party.net/pf_freebsd_1.52.tar.gz)
Pyun found some missing initialisations for new structures and fixed a
long standing problem with the "WITH_RANDOM_ID=yes" option (which now
has
an effect again).
Please update to the new version.
I didn't receive any feedback (neither good nor bad) about the new
version. Is someone actually running it on her/his box? I have it on my
gateway and didn't see anything bad yet, but I am really curious about
your experience. So, if you gave it a try, please let me know.
Thanks
Max
More information about the freebsd-pf
mailing list