Re: I just installed pf on a new server w/current and nat doesn't seem to work.

From: <eculp_at_bafirst.com>
Date: Sat, 23 Jul 2005 06:07:30 -0500
Problem fixed.  Thanks

ed

Quoting eculp_at_bafirst.com:

> My major problem is that I am over 2500 miles from the server and in 
> another country.  I have configured a current box with the idea of 
> stoping at 6.0 but that is another issue.
>
> It would seem that pf nat isn't working.  The machines on the lan 
> pickup there configuration from dhcpd and can ping their gateway 
> 192.168.1.1 (em0 on the server) and 65.81.102.2 (em1 on the server) 
> but cannot ping 65.81.102.1 the server's gateway.  It would seem that 
> there are issues with either ip forwarding or pf nat.  when I do a 
> pfctl -vv -s Interfaces I get all zeros even though I am creating 
> traffic on the server.  That doesn't seem to be right.
>
> My configurations follow.  I would sure appreciate any suggestions 
> because I'm afraid that I've missed something.  That is usually the 
> case with problems like this.
>
> # sysctl net.inet.ip.forwarding
> net.inet.ip.forwarding: 1
>
> /etc/pf.conf:
>
> int_if = "em0"
> ext_if = "em1"
>
> udp_services = "{ 53 }"
> tcp_services = "{ 22, 25, 53, 80, 110, 113, 123, 143, 389, 3128 }"
> icmp_types = "echoreq"
> priv_nets = "{ 0.0.0.0/8, 20.20.20.0/24, 169.254.0.0/16, 127.0.0.0/8, 
> 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 224.0.0.0/3 }"
>
> # options
> set block-policy return
> set loginterface $ext_if
>
> # scrub
> scrub in all
>
> # nat/rdr
> nat on $ext_if from $int_if:network to any -> ($ext_if)
> rdr on $int_if inet proto tcp from any to any port www -> 127.0.0.1 port 3128
>
> # filter rules
> block all
> pass quick on lo0 all
> block drop in  quick on $ext_if from $priv_nets to any
> block drop out quick on $ext_if from any to $priv_nets
> pass in on $ext_if inet proto udp from any to ($ext_if) port 
> $udp_services keep state
> pass in on $ext_if inet proto tcp from any to ($ext_if) port 
> $tcp_services flags S/SA keep state
> pass in on $int_if inet proto tcp from any to 127.0.0.1 port 3128 keep state
> pass out on $ext_if inet proto tcp from any to any port www keep state
> pass in inet proto icmp all icmp-type $icmp_types keep state
> pass in  on $int_if from $int_if:network to any keep state
> pass out on $int_if from any to $int_if:network keep state
> pass out on $ext_if proto tcp all modulate state flags S/SA
> pass out on $ext_if proto { udp, icmp } all keep state
>
> rc.conf:
>  ifconfig_em0="inet 192.168.1.1  netmask 255.255.255.0"   
> ifconfig_em1="inet 65.81.102.2  netmask 255.255.255.248"   
> defaultrouter="65.81.102.1"   gateway_enable="YES"    pf_enable="YES"
>  pf_rules="/etc/pf.conf"
>  pf_program="/sbin/pfctl"
>  pf_flags=""
>  pflog_enable="YES"
>  pflog_logfile="/var/log/pflog"
>  pflog_program="/sbin/pflogd"
>  pflog_flags=""
>
>
> # PF Kernel Config
>
> device pf
> device pflog
> device pfsync
> options ALTQ
> options ALTQ_CBQ
> options ALTQ_RED
> options ALTQ_RIO
> options ALTQ_HFSC
> options ALTQ_CDNR
> options ALTQ_PRIQ
>
> Where else could it be?  I have several other machines that have very 
> similar configurations and with no problems, of course they are all 
> within a 2 hour drive ;)
>
> Thanks for any help or suggestions.
>
> ed
>
> _______________________________________________
> freebsd-current_at_freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-current
> To unsubscribe, send any mail to "freebsd-current-unsubscribe_at_freebsd.org"
>
Received on Sat Jul 23 2005 - 09:07:32 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:39 UTC