Date: Wed, 20 Jul 2005 08:38:37 +0100 From: "Greg Hennessy" <Greg.Hennessy@nviz.net> To: <freebsd-pf@freebsd.org> Subject: RE: NAT problem with icmp Message-ID: <20050720073837.AA41F1C@gw2.local.net> In-Reply-To: <20050720054644.68432.qmail@web32401.mail.mud.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> Hi,
> Here is simple explanation :
> This is my pf.conf
>
> extif="{ ed0 }"
> extip="{ (ed0) }"
> table <lan> { 192.168.1.0/24 }
> nat on $extif from <lan> to any -> $extip pass all
The syntax for the nat statement above doesn't look right.
> I want to ping from my lan stations to a public dns server
> like 192.9.9.3 look at my state table:
You need to add a pass rule on the inside interface to make it so.
At the very least your packet filtering policy should consist of the
following in addition to what you have above.
ICMP="inet proto icmp"
KS="keep state"
intif="dc0"
.
.
set block-policy return
#
# If using CURRENT otherwise use the pass rule below.
set skip on lo0
.
.
.
block log all
# on 5.x instead of 'set skip'
pass on lo0 all keep state
#
pass in log quick on $intif $ICMP from $intif:network to !$intif:network
icmp-type echoreq $KS
Make sure you have routing enabled as appropriate.
Greg
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050720073837.AA41F1C>