'nat pass' not working in PF
Andrew L. Gould
algould at datawok.com
Fri Jan 21 06:20:44 PST 2005
I'm running pf in FreeBSD 5.3 on my laptop. The filters for the local
box work fine.
I'm also working on a pc for a friend; but ran out of ethernet ports in
my router. This pc doesn't have a wireless adapter; so I adjusted my
pf rules to use my laptop as a gateway for the pc.
I want my filters to remain intact for the laptop; but I want nat to let
all the pc's traffic through. (It has it's own firewall.) According
the OpenBSD pf tutorial, adding the word 'pass' after 'nat' in the nat
command will allow nat traffic to bypass the filter rules.
Unfortunately, this doesn't seem to work.
If my default 'block log all' rule is left uncommented, I can only ping
ip addresses (not host names that require nameservers). No other
activity passes through. If I comment it out, all traffic passes; but
my laptop is left unprotected.
Any advice?
The relevant lines from my pf rules follow:
ifdev = "ath0"
natdev = "fxp0"
scrub in all no-df
nat pass on $ifdev from $natdev:network to any -> $ifdev
icmp_types = "echoreq"
block log all
#other filtering rules follow
Thanks,
Andrew Gould
More information about the freebsd-questions
mailing list