NAT problem with icmp
Greg Hennessy
Greg.Hennessy at nviz.net
Wed Jul 20 07:38:41 GMT 2005
> Hi,
> Here is simple explanation :
> This is my pf.conf
>
> extif="{ ed0 }"
> extip="{ (ed0) }"
> table <lan> { 192.168.1.0/24 }
> nat on $extif from <lan> to any -> $extip pass all
The syntax for the nat statement above doesn't look right.
> I want to ping from my lan stations to a public dns server
> like 192.9.9.3 look at my state table:
You need to add a pass rule on the inside interface to make it so.
At the very least your packet filtering policy should consist of the
following in addition to what you have above.
ICMP="inet proto icmp"
KS="keep state"
intif="dc0"
.
.
set block-policy return
#
# If using CURRENT otherwise use the pass rule below.
set skip on lo0
.
.
.
block log all
# on 5.x instead of 'set skip'
pass on lo0 all keep state
#
pass in log quick on $intif $ICMP from $intif:network to !$intif:network
icmp-type echoreq $KS
Make sure you have routing enabled as appropriate.
Greg
More information about the freebsd-pf
mailing list