I just installed pf on a new server w/current and nat doesn't seem to work.

• Previous message: Pawel Worach: "Re: 6.0 BETA1 if_ath problems"
• Next in thread: eculp_at_bafirst.com: "Re: I just installed pf on a new server w/current and nat doesn't seem to work."
• Reply: eculp_at_bafirst.com: "Re: I just installed pf on a new server w/current and nat doesn't seem to work."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Date: Fri, 22 Jul 2005 18:06:21 -0500
To: current@freebsd.org

My major problem is that I am over 2500 miles from the server and in
another country. I have configured a current box with the idea of
stoping at 6.0 but that is another issue.

It would seem that pf nat isn't working. The machines on the lan
pickup there configuration from dhcpd and can ping their gateway
192.168.1.1 (em0 on the server) and 65.81.102.2 (em1 on the server) but
cannot ping 65.81.102.1 the server's gateway. It would seem that there
are issues with either ip forwarding or pf nat. when I do a pfctl -vv
-s Interfaces I get all zeros even though I am creating traffic on the
server. That doesn't seem to be right.

My configurations follow. I would sure appreciate any suggestions
because I'm afraid that I've missed something. That is usually the
case with problems like this.

# sysctl net.inet.ip.forwarding
net.inet.ip.forwarding: 1

/etc/pf.conf:

int_if = "em0"
ext_if = "em1"

udp_services = "{ 53 }"
tcp_services = "{ 22, 25, 53, 80, 110, 113, 123, 143, 389, 3128 }"
icmp_types = "echoreq"
priv_nets = "{ 0.0.0.0/8, 20.20.20.0/24, 169.254.0.0/16, 127.0.0.0/8,
192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 224.0.0.0/3 }"

# options
set block-policy return
set loginterface $ext_if

# scrub
scrub in all

# nat/rdr
nat on $ext_if from $int_if:network to any -> ($ext_if)
rdr on $int_if inet proto tcp from any to any port www -> 127.0.0.1 port 3128

# filter rules
block all
pass quick on lo0 all
block drop in quick on $ext_if from $priv_nets to any
block drop out quick on $ext_if from any to $priv_nets
pass in on $ext_if inet proto udp from any to ($ext_if) port
$udp_services keep state
pass in on $ext_if inet proto tcp from any to ($ext_if) port
$tcp_services flags S/SA keep state
pass in on $int_if inet proto tcp from any to 127.0.0.1 port 3128 keep state
pass out on $ext_if inet proto tcp from any to any port www keep state
pass in inet proto icmp all icmp-type $icmp_types keep state
pass in on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state

rc.conf:
  ifconfig_em0="inet 192.168.1.1 netmask 255.255.255.0"
ifconfig_em1="inet 65.81.102.2 netmask 255.255.255.248"
defaultrouter="65.81.102.1" gateway_enable="YES" pf_enable="YES"
  pf_rules="/etc/pf.conf"
  pf_program="/sbin/pfctl"
  pf_flags=""
  pflog_enable="YES"
  pflog_logfile="/var/log/pflog"
  pflog_program="/sbin/pflogd"
  pflog_flags=""

# PF Kernel Config

device pf
device pflog
device pfsync
options ALTQ
options ALTQ_CBQ
options ALTQ_RED
options ALTQ_RIO
options ALTQ_HFSC
options ALTQ_CDNR
options ALTQ_PRIQ

Where else could it be? I have several other machines that have very
similar configurations and with no problems, of course they are all
within a 2 hour drive ;)

Thanks for any help or suggestions.

ed

_______________________________________________
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org"

• Previous message: Pawel Worach: "Re: 6.0 BETA1 if_ath problems"
• Next in thread: eculp_at_bafirst.com: "Re: I just installed pf on a new server w/current and nat doesn't seem to work."
• Reply: eculp_at_bafirst.com: "Re: I just installed pf on a new server w/current and nat doesn't seem to work."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]