problems with PF

Max Laier max at love2party.net
Thu Jul 29 14:23:53 PDT 2004 

On Thursday 29 July 2004 22:57, RJ45 wrote:
> hello,
> I configured PF for natting machines on my LAN
> using FreeBSD as ADSL gateway.
>
> I just write a simple rule
> nat on tun0 from 172.16.16.0/24 to any -> (tun0)
					    ^^^^^^

> but NAT does not work, packets are blocked.
>
> ip forwarding is enabled
>
> using ipfilter works and packets are natted succesfully with a simple rule
> the same as before:
>
> map tun0 172.16.16.0/24 -> tun0/32
>
>
> I am using PF on OpenBSD since the first time it was released
> so I Am sure it is not a problem of my configuration (After all more
> than very simple)
> using PF on FreeBSD I noticed simply packets are not NATted.

Well they are, but to a wrong address or no address at all, depending on the 
state of tun0 upon loading the ruleset.

> I have to say I am using it on sparc64 FreeBSD 5.2.1 on ultra 60.
>
> anyone has some hints ?

Have you applied the dynamic address patches?
# cd /usr/ports/security/pf && make extract && cd work/pf_freebsd_2.03/patches
# less README
for details. Unless you did so, the "(ifname)" syntax will not work on 5.2.1R. 
As a workaround you can place a #pfctl -f <pf.conf> in your linkup script. 
Other than that, you might want to try a recent -current snapshot in order to 
build 3.5 pf (the port is still as of 3.4) out of the box. There you have all 
the fancy interface handling that comes with 3.5 (including dynamic addresses 
of course) and additionally there is ALTQ ;) Patches for hme(4) from Pyun 
YongHyeon are on http://people.freebsd.org/~mlaier/ALTQ_driver/ other driver 
patches upon request.
sparc64 should not be a problem for pf in general.

> maybe on i386 works who knows ?

Not with the dynamic address syntax, no.

-- 
/"\  Best regards,			| mlaier at freebsd.org
\ /  Max Laier				| ICQ #67774661
 X   http://pf4freebsd.love2party.net/	| mlaier at EFnet
/ \  ASCII Ribbon Campaign		| Against HTML Mail and News
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: signature
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20040729/4ff7b551/attachment.bin

More information about the freebsd-questions mailing list