nat/outbound traffic not passing in pf on FreeBSD 6.1

Daniel Hartmeier daniel at benzedrine.cx
Wed Jul 26 20:24:57 UTC 2006 

Can you give us an example of just one connection that doesn't work?

Like, local workstation i.i.10.3, connected to em1, matching $inwr,
tries to connect to an external host 62.65.145.30. Protocol TCP, source
port 12345, destination port 80. The TCP SYN is seen (with tcpdump)
incoming on em1. But it's not seen outgoing (NAT'ed to source address
o.o.33.46) on em0.

> scrub in all fragment reassemble
> block drop in log all
> pass in on em0 inet proto tcp from any to i.i.10.15 port = ssh keep state
> pass in on em0 inet proto tcp from any to o.o.33.46 port = ssh keep state
> pass in on em1 inet from i.i.10.0/24 to any keep state
> pass out on em0 inet from o.o.33.46 to any keep state
> block drop in on ! em0 inet from o.o.33.i/29 to any
> block drop in on em0 inet6 from fe80::213:72ff:fe5f:6e6b to any
> block drop in inet from o.o.33.46 to any
> block drop in on ! em1 inet from i.i.10.0/24 to any
> block drop in on em1 inet6 from fe80::213:72ff:fe5f:6e6c to any
> block drop in inet from i.i.10.1 to any

A packet that doesn't match any of those rules will be passed. Since you
don't block outgoing packets at all, you should see the TCP SYN go out
on em1 (properly NAT'ed). Since NAT implies keep state, a state entry
should be created even if you don't have an explicit 'pass out keep
state' rule.

Your pfctl -si output shows that there are states created, and that
packets are matching those states and passing.

You should see the returning TCP SYN+ACK incoming on em1 (with tcpdump),
get NAT'ed back to the internal destination address, and leave out on
em0.

Make sure that there's nothing weird going on with the network cables,
i.e. that em0 is really the internal NIC, that the local workstation
does not have any other way to reach the external host except through
the pf box, and that it's using the pf box as default gateway.

If the TCP SYN and SYN+ACK show up in any other order (than described
above) on the two interfaces, that would be the clue to the problem.

There is no difference between pf on OpenBSD and FreeBSD in this regard,
and I very much doubt there is a bug as basic as this still undetected.
More likely, there is some other difference between your OpenBSD and
FreeBSD setups, as simple as a cable plugged in somewhere :)

Daniel

More information about the freebsd-pf mailing list