pf: nat works, ip blocking and logging do not
Alex Teslik
whereisalext at gmail.com
Sat Feb 13 18:27:08 UTC 2010
I setup pf with nat on my Freebsd 7 system:
[gouda:root]/root# pfctl -sa -vvvv
No ALTQ support in kernel
ALTQ related functions disabled
TRANSLATION RULES:
@0 nat on em0 inet from 192.168.4.0/24 to any -> (em0) round-robin
[ Evaluations: 29986 Packets: 67086 Bytes: 54746182 States:
21 ]
[ Inserted: uid 0 pid 66358 ]
FILTER RULES:
@0 scrub in all fragment reassemble
[ Evaluations: 1030123 Packets: 539441 Bytes: 76737270 States:
0 ]
[ Inserted: uid 0 pid 66358 ]
@0 block drop in log (all) quick on em0 inet from 11.11.11.111 to any
[ Evaluations: 75127 Packets: 0 Bytes: 0 States:
0 ]
[ Inserted: uid 0 pid 66358 ]
@1 block drop in log (all) quick on em0 inet from 22.22.22.222 to any
[ Evaluations: 32476 Packets: 0 Bytes: 0 States:
0 ]
[ Inserted: uid 0 pid 66358 ]
@2 block drop out log (all) quick on em0 inet from 11.11.11.111 to any
[ Evaluations: 56044 Packets: 0 Bytes: 0 States:
0 ]
[ Inserted: uid 0 pid 66358 ]
@3 block drop out log (all) quick on em0 inet from 22.22.22.222 to any
[ Evaluations: 23568 Packets: 0 Bytes: 0 States:
0 ]
[ Inserted: uid 0 pid 66358 ]
@4 pass in all flags S/SA keep state
[ Evaluations: 75130 Packets: 311544 Bytes: 126402695 States:
62 ]
[ Inserted: uid 0 pid 66358 ]
@5 pass out all flags S/SA keep state
[ Evaluations: 75130 Packets: 239954 Bytes: 97798568 States:
55 ]
[ Inserted: uid 0 pid 66358 ]
nat works great.
Unfortunately, I can still go to 11.11.11.111 or 22.22.22.222 with no
blocking and no logging on /var/log/pflog.
When I tcpdump listen to pflog0 there are no entries when I go to those ips.
What am I doing wrong here that is preventing logging and blocking from
working?
[gouda:root]/root# tcpdump -vvveni pflog0
tcpdump: WARNING: pflog0: no IPv4 address assigned
tcpdump: listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture
size 96 bytes
[gouda:root]/root# cat /etc/pf.conf
ext_if="em0"
int_if="sk0"
set skip on lo0
scrub in
nat on $ext_if from $int_if:network to any -> ($ext_if)
block drop in log (all) quick on $ext_if from { 11.11.11.111, 22.22.22.222 }
to any
block drop out log (all) quick on $ext_if from { 11.11.11.111, 22.22.22.222
} to any
pass in all
pass out all
Thank you for your thoughts.
More information about the freebsd-pf
mailing list