N. Ersen SISECI
Fri Nov 16 05:48:24 PST 2007


I changed PF's default rule in kernel (pf_ioctl.h). And than i restarted
my server.
After that server started successfully and then internal network (behind
the NAT) wasn't access the external network.

pass in log quick all
pass out log quick all

Nat rule is:
nat pass on em0 inet all ->

I changed filtering and NAT rules like these. But it's not working.

And then i added log line for default rule in pf_ioctl.h

pf_default_rule.log = PF_LOG;

And then i see the blocking logs on pflog0 with the same rule set.

2007-11-16 15:03:19.291742 rule 4294967295/0(match): block out on em0:
.... ICMP ... > ICMP echo request

So, I removed the pass option in the nat rule and suddenly started to

>From the Man page of pf.conf:

Packets that match a translation rule are only
automatically passed if the /pass/ modifier is given, otherwise they are
still subject to /block/ and /pass/ rules.

But, i think it's not working as desribed above. 

Nat's pass option depends the PF's default rule in the kernel.

Is there anything i missed or wrong?


EnderUNIX SDT @ Turkey

