NAT problem with icmp
Pejman Moghadam
d_a_d_a_sh at yahoo.com
Sat Jul 23 03:52:31 GMT 2005
Dear Greg
According to your guide i change my pf.conf , everything is working very well,
but still i can ping a single ip address from only one of my clients, when i stop pinging
on that station, an other one begining to ping. please check this out :
#-----------------------------
# Some definitions
extif="{ ed0 }"
extip="{ (ed0) }"
intif="{ dc0 }"
intip="{ (dc0) }"
table <lan> { 192.168.1.0/24 }
cache="192.168.1.1"
lan_inet_tcp="{ 80 800 8000 8080 8383 3000 3128 2082 2095 443 21 20 25 110 23 22 5631 554 7070 5050 5001 5100 11999 1863 }"
lan_inet_udp="{ 53 161 5632 5000 6970><7170 }"
lan_inet_icmp="{ 192.9.9.3 }"
fw_inet_tcp="{ 80 800 8000 8080 8383 3000 3128 2082 2095 443 21 20 25 110 23 22 5631 554 7070 5050 5001 5100 11999 1863 }"
fw_inet_udp="{ 53 161 5632 5000 6970><7170}"
fw_inet_icmp="{ 192.9.9.3 }"
lan_fw_tcp="{ 80 22 3128 20 21 8021 }"
lan_fw_udp="{ 53 161 }"
lan_fw_icmp = "{ self }"
fw_lan_tcp="{ 80 21 20 23 22 }"
fw_lan_udp="{ 53 161 }"
fw_lan_icmp="{ <lan> }"
lan_lan_tcp="{ 80 20 21 25 110 23 22 5631 }"
lan_lan_udp="{ 53 161 5632 }"
lan_lan_icmp="{ <lan> }"
#inet_fw_tcp
#inet_fw_udp
#inet_fw_icmp
#inet_lan_tcp
#inet_lan_udp
#inet_lan_icmp
#-----------------------------
# normalization incoming packets
scrub in all
#-----------------------------
# nat
nat on $extif from <lan> to any -> $extip
# ftp redirect for clients behind the firewall
rdr on $intif inet proto tcp from <lan> to !<lan> port 21 -> $intip port 8021
# http redirect local cache
rdr on $intif inet proto tcp from <lan> to !<lan> port 80 -> $intip port 3128
# http redirect remote cache
#rdr on $intif inet proto tcp from <lan> to !<lan> port 80 -> $cache port 3128
#nat on $intif from <lan> to $cache -> $intip
#-----------------------------
# policy
block log all
# anti spoofing
antispoof quick for $intif inet
# loopback
pass quick on lo0 all
#-----------------------------
# LAN -> INET
pass in quick on $intif inet proto icmp from <lan> to $lan_inet_icmp keep state
pass in quick on $intif inet proto udp from <lan> to any port $lan_inet_udp keep state
pass in quick on $intif inet proto tcp from <lan> to any port $lan_inet_tcp flags S/SA modulate state
#-----------------------------
# FW -> INET
pass out quick on $extif inet proto icmp from $extip to $fw_inet_icmp keep state
pass out quick on $extif inet proto udp from $extip to any port $fw_inet_udp keep state
pass out quick on $extif inet proto tcp from $extip to any port $fw_inet_tcp flags S/SA modulate state
#-----------------------------
# LAN -> FW
pass in quick on $intif inet proto icmp from <lan> to $lan_fw_icmp keep state
pass in quick on $intif inet proto udp from <lan> to $intip port $lan_fw_udp keep state
pass in quick on $intif inet proto tcp from <lan> to $intip port $lan_fw_tcp flags S/SA modulate state
#-----------------------------
# FW -> LAN
pass out quick on $intif inet proto icmp from $intip to $fw_lan_icmp keep state
pass out quick on $intif inet proto udp from $intip to any port $fw_lan_udp keep state
pass out quick on $intif inet proto tcp from $intip to any port $fw_lan_tcp flags S/SA modulate state
# for ftp-proxy connections :(
pass out quick on $intif inet proto tcp from $intip to any flags S/SA modulate state
#-----------------------------
# LAN -> LAN
pass in quick on $intif inet proto icmp from <lan> to $lan_lan_icmp keep state
pass in quick on $intif inet proto udp from <lan> to <lan> port $lan_lan_udp keep state
pass in quick on $intif inet proto tcp from <lan> to <lan> port $lan_lan_tcp flags S/SA modulate state
#-----------------------------
# INET -> FW
# for ftp-proxy connections
pass in quick on $extif inet proto tcp from any port 20 to $extip user proxy flags S/SA modulate state
#-----------------------------
# INET -> LAN
#-----------------------------
and again :
>>The problem is :
>>I can pinging to 192.9.9.3 from only one of my stations.(192.168.1.18)
>>Other stations show "Request timed out."(192.168.1.19)
>>So... is there any problem with nating icmp packects in pf ?
>>Or this is just my mistake in pf.conf
Thanks in advance
Pejman
Greg Hennessy <Greg.Hennessy at nviz.net> wrote:
> Hi,
> Here is simple explanation :
> This is my pf.conf
>
> extif="{ ed0 }"
> extip="{ (ed0) }"
> table { 192.168.1.0/24 }
> nat on $extif from to any -> $extip pass all
The syntax for the nat statement above doesn't look right.
> I want to ping from my lan stations to a public dns server
> like 192.9.9.3 look at my state table:
You need to add a pass rule on the inside interface to make it so.
At the very least your packet filtering policy should consist of the
following in addition to what you have above.
ICMP="inet proto icmp"
KS="keep state"
intif="dc0"
.
.
set block-policy return
#
# If using CURRENT otherwise use the pass rule below.
set skip on lo0
.
.
.
block log all
# on 5.x instead of 'set skip'
pass on lo0 all keep state
#
pass in log quick on $intif $ICMP from $intif:network to !$intif:network
icmp-type echoreq $KS
Make sure you have routing enabled as appropriate.
Greg
_______________________________________________
freebsd-pf at freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"
---------------------------------
Start your day with Yahoo! - make it your home page
More information about the freebsd-pf
mailing list