PF and NAT on FreeBSD 5.3
Karol Kwiatkowski
freebsd at orchid.homeunix.org
Wed Jan 19 09:25:40 PST 2005
Kosta Kilim wrote:
> Hello,
>
> I'm trying to setup a PF with NAT for my home network.
>
> PF is compiled into the kernel(FreeBSD 5.3, fresh cvsup) and working,
> I can do pfctl -e|-d|-s just fine. And pflog0 is seen in the
> ifconfig's output.
>
> My IP range is: class C /29
>
> I have a ADSL router which works in bridged mode. So I connect to the
> ISP, get an static address for the router, then I assign one to the
> machine I'd like to act as a firewall from the /29 range.
>
> So router takes one and the machine take one address from class
> C/29. The other address can be ignored. I don't want to use them.
>
> For the rest of the machines on the network I'd like them to go
> through this machine, which I'd like it to do NAT using PF.
>
> The machine has the IP from the class C /29 range, and 192.168.0.0/27
> on the other NIC.
>
> So what I'd like to know, is how do I write the rules to perfom
> this. I thought that just taking the rules from the first example of
> the PF tutorial would do, I changed them slightly to suit my
> scenario. But still I can only go to the net with the one machine on
> the class C /29 subnet.
pf rules looks OK.
Wild guess: have you enabled packet forwarding? You can check it with
sysctl(8):
# sysctl net.inet.ip.forwarding
net.inet.ip.forwarding: 1
To enable this at boot time put gateway_enable="YES" in your /etc/rc.conf
Also check the handbook (25.2.4 Building a Router chapter):
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-routing.html
> Any hints would be gladly received. Thank you for your time.
You're welcome (I'm not sure if that helps, though).
Regards,
Karol
> # macros, these are renamed to my NIC names
> int_if = "fxp0"
> ext_if = "ep0"
>
> tcp_services = "{ 22 }"
> icmp_types = "echoreq"
>
> priv_nets = "{ 127.0.0.0/8, 192.168.0.0/27 }"
>
> # options
> set block-policy return
> set loginterface $ext_if
>
> # scrub
> scrub in all
>
> # nat
> nat on $ext_if from $int_if:network to any -> ($ext_if)
>
>
> # filter rules
> block all
>
> pass quick on lo0 all
>
> block drop in quick on $ext_if from $priv_nets to any
> block drop out quick on $ext_if from any to $priv_nets
>
> pass in on $ext_if inet proto tcp from any to ($ext_if) \
> port $tcp_services flags S/SA keep state
>
> pass in inet proto icmp all icmp-type $icmp_types keep state
>
> pass in on $int_if from $int_if:network to any keep state
> pass out on $int_if from any to $int_if:network keep state
>
> pass out on $ext_if proto tcp all modulate state flags S/SA
> pass out on $ext_if proto { udp, icmp } all keep state
>
>
--
Karol Kwiatkowski <freebsd at orchid dot homeunix dot org>
More information about the freebsd-questions
mailing list