Re: I just installed pf on a new server w/current and nat doesn't seem to work.

eculp_at_bafirst.com
Date: 07/23/05

  • Next message: Alex Lyashkov: "[panic] 6.0 Beta1 can`t boot - acpi_pci_link_add_reference: apparently invalid index 27" 
    Date: Sat, 23 Jul 2005 06:07:30 -0500
To: freebsd-current@freebsd.org

    Problem fixed. Thanks

    ed

    Quoting eculp@bafirst.com:

    > My major problem is that I am over 2500 miles from the server and in
    > another country. I have configured a current box with the idea of
    > stoping at 6.0 but that is another issue.
    >
    > It would seem that pf nat isn't working. The machines on the lan
    > pickup there configuration from dhcpd and can ping their gateway
    > 192.168.1.1 (em0 on the server) and 65.81.102.2 (em1 on the server)
    > but cannot ping 65.81.102.1 the server's gateway. It would seem that
    > there are issues with either ip forwarding or pf nat. when I do a
    > pfctl -vv -s Interfaces I get all zeros even though I am creating
    > traffic on the server. That doesn't seem to be right.
    >
    > My configurations follow. I would sure appreciate any suggestions
    > because I'm afraid that I've missed something. That is usually the
    > case with problems like this.
    >
    > # sysctl net.inet.ip.forwarding
    > net.inet.ip.forwarding: 1
    >
    > /etc/pf.conf:
    >
    > int_if = "em0"
    > ext_if = "em1"
    >
    > udp_services = "{ 53 }"
    > tcp_services = "{ 22, 25, 53, 80, 110, 113, 123, 143, 389, 3128 }"
    > icmp_types = "echoreq"
    > priv_nets = "{ 0.0.0.0/8, 20.20.20.0/24, 169.254.0.0/16, 127.0.0.0/8,
    > 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 224.0.0.0/3 }"
    >
    > # options
    > set block-policy return
    > set loginterface $ext_if
    >
    > # scrub
    > scrub in all
    >
    > # nat/rdr
    > nat on $ext_if from $int_if:network to any -> ($ext_if)
    > rdr on $int_if inet proto tcp from any to any port www -> 127.0.0.1 port 3128
    >
    > # filter rules
    > block all
    > pass quick on lo0 all
    > block drop in quick on $ext_if from $priv_nets to any
    > block drop out quick on $ext_if from any to $priv_nets
    > pass in on $ext_if inet proto udp from any to ($ext_if) port
    > $udp_services keep state
    > pass in on $ext_if inet proto tcp from any to ($ext_if) port
    > $tcp_services flags S/SA keep state
    > pass in on $int_if inet proto tcp from any to 127.0.0.1 port 3128 keep state
    > pass out on $ext_if inet proto tcp from any to any port www keep state
    > pass in inet proto icmp all icmp-type $icmp_types keep state
    > pass in on $int_if from $int_if:network to any keep state
    > pass out on $int_if from any to $int_if:network keep state
    > pass out on $ext_if proto tcp all modulate state flags S/SA
    > pass out on $ext_if proto { udp, icmp } all keep state
    >
    > rc.conf:
    > ifconfig_em0="inet 192.168.1.1 netmask 255.255.255.0"
    > ifconfig_em1="inet 65.81.102.2 netmask 255.255.255.248"
    > defaultrouter="65.81.102.1" gateway_enable="YES" pf_enable="YES"
    > pf_rules="/etc/pf.conf"
    > pf_program="/sbin/pfctl"
    > pf_flags=""
    > pflog_enable="YES"
    > pflog_logfile="/var/log/pflog"
    > pflog_program="/sbin/pflogd"
    > pflog_flags=""
    >
    >
    > # PF Kernel Config
    >
    > device pf
    > device pflog
    > device pfsync
    > options ALTQ
    > options ALTQ_CBQ
    > options ALTQ_RED
    > options ALTQ_RIO
    > options ALTQ_HFSC
    > options ALTQ_CDNR
    > options ALTQ_PRIQ
    >
    > Where else could it be? I have several other machines that have very
    > similar configurations and with no problems, of course they are all
    > within a 2 hour drive ;)
    >
    > Thanks for any help or suggestions.
    >
    > ed
    >
    > _______________________________________________
    > freebsd-current@freebsd.org mailing list
    > http://lists.freebsd.org/mailman/listinfo/freebsd-current
    > To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org"
    >

    _______________________________________________
    freebsd-current@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-current
    To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org"

  • Next message: Alex Lyashkov: "[panic] 6.0 Beta1 can`t boot - acpi_pci_link_add_reference: apparently invalid index 27"

    Relevant Pages

    • Re: gateway doesnt locate at the same subnet of the IP Address.
      ... I switched from windowsxp to debian with the above ip ... above ip configurations, to be more specifically, the main issue in my ... the gateway is not located on the same subnet ...
      (Debian-User)
    • Re: OpenVPN - Implementation ?s
      ... > documentation refers to configurations where the samba server is ... > within the internal network and a linux box is acting as gateway with ... ip subnet for your vpn Make the subnet small, ...
      (comp.os.linux.networking)
    • Re: gateway doesnt locate at the same subnet of the IP Address.
      ... Although, from the IP address you provided i'm not sure how it can reach your gateway, coz looking at it, seems like IP and Gateway are not on the same subnet. ... I switched from windowsxp to debian with the above ip ... configurations, but I don't know how should I set my debian using the ... To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx with a subject of "unsubscribe". ...
      (Debian-User)
    • Re: My VPC window closes ubruptly during XP install
      ... Yes, you will run into problems, Steve, IF the CD image is configured ... for a specific type and model of computer, as is the case with Gateway ... Hardware configurations will fail. ... problems with bootstrap records and/or BIOS settings, ...
      (microsoft.public.mac.virtualpc)