From owner-freebsd-pf@FreeBSD.ORG Sat Jul 23 03:52:31 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D3DE516A420 for ; Sat, 23 Jul 2005 03:52:31 +0000 (GMT) (envelope-from d_a_d_a_sh@yahoo.com) Received: from web32411.mail.mud.yahoo.com (web32411.mail.mud.yahoo.com [68.142.207.204]) by mx1.FreeBSD.org (Postfix) with SMTP id 55DFC43D4C for ; Sat, 23 Jul 2005 03:52:31 +0000 (GMT) (envelope-from d_a_d_a_sh@yahoo.com) Received: (qmail 38670 invoked by uid 60001); 23 Jul 2005 03:52:30 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=N/bPUJaUXP8t0i68wSlpP/QoZg73sQz8EsQvTXdtYHf9BzlnErsnlHwPQi3yvBEBaoBd6tgQgqf/7rQCmj5nenDkukmymuYWTLVk7uiXiye2i0dylsX7yf6BKY+fURCtuTv7rRgO1RzAgIwPrQwj7/NxjVa02ZrBrTc7uBvOciA= ; Message-ID: <20050723035230.38668.qmail@web32411.mail.mud.yahoo.com> Received: from [217.218.230.2] by web32411.mail.mud.yahoo.com via HTTP; Fri, 22 Jul 2005 20:52:30 PDT Date: Fri, 22 Jul 2005 20:52:30 -0700 (PDT) From: Pejman Moghadam To: freebsd-pf@freebsd.org In-Reply-To: <20050720073837.AA41F1C@gw2.local.net> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: RE: NAT problem with icmp X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 23 Jul 2005 03:52:32 -0000 Dear Greg According to your guide i change my pf.conf , everything is working very well, but still i can ping a single ip address from only one of my clients, when i stop pinging on that station, an other one begining to ping. please check this out : #----------------------------- # Some definitions extif="{ ed0 }" extip="{ (ed0) }" intif="{ dc0 }" intip="{ (dc0) }" table { 192.168.1.0/24 } cache="192.168.1.1" lan_inet_tcp="{ 80 800 8000 8080 8383 3000 3128 2082 2095 443 21 20 25 110 23 22 5631 554 7070 5050 5001 5100 11999 1863 }" lan_inet_udp="{ 53 161 5632 5000 6970><7170 }" lan_inet_icmp="{ 192.9.9.3 }" fw_inet_tcp="{ 80 800 8000 8080 8383 3000 3128 2082 2095 443 21 20 25 110 23 22 5631 554 7070 5050 5001 5100 11999 1863 }" fw_inet_udp="{ 53 161 5632 5000 6970><7170}" fw_inet_icmp="{ 192.9.9.3 }" lan_fw_tcp="{ 80 22 3128 20 21 8021 }" lan_fw_udp="{ 53 161 }" lan_fw_icmp = "{ self }" fw_lan_tcp="{ 80 21 20 23 22 }" fw_lan_udp="{ 53 161 }" fw_lan_icmp="{ }" lan_lan_tcp="{ 80 20 21 25 110 23 22 5631 }" lan_lan_udp="{ 53 161 5632 }" lan_lan_icmp="{ }" #inet_fw_tcp #inet_fw_udp #inet_fw_icmp #inet_lan_tcp #inet_lan_udp #inet_lan_icmp #----------------------------- # normalization incoming packets scrub in all #----------------------------- # nat nat on $extif from to any -> $extip # ftp redirect for clients behind the firewall rdr on $intif inet proto tcp from to ! port 21 -> $intip port 8021 # http redirect local cache rdr on $intif inet proto tcp from to ! port 80 -> $intip port 3128 # http redirect remote cache #rdr on $intif inet proto tcp from to ! port 80 -> $cache port 3128 #nat on $intif from to $cache -> $intip #----------------------------- # policy block log all # anti spoofing antispoof quick for $intif inet # loopback pass quick on lo0 all #----------------------------- # LAN -> INET pass in quick on $intif inet proto icmp from to $lan_inet_icmp keep state pass in quick on $intif inet proto udp from to any port $lan_inet_udp keep state pass in quick on $intif inet proto tcp from to any port $lan_inet_tcp flags S/SA modulate state #----------------------------- # FW -> INET pass out quick on $extif inet proto icmp from $extip to $fw_inet_icmp keep state pass out quick on $extif inet proto udp from $extip to any port $fw_inet_udp keep state pass out quick on $extif inet proto tcp from $extip to any port $fw_inet_tcp flags S/SA modulate state #----------------------------- # LAN -> FW pass in quick on $intif inet proto icmp from to $lan_fw_icmp keep state pass in quick on $intif inet proto udp from to $intip port $lan_fw_udp keep state pass in quick on $intif inet proto tcp from to $intip port $lan_fw_tcp flags S/SA modulate state #----------------------------- # FW -> LAN pass out quick on $intif inet proto icmp from $intip to $fw_lan_icmp keep state pass out quick on $intif inet proto udp from $intip to any port $fw_lan_udp keep state pass out quick on $intif inet proto tcp from $intip to any port $fw_lan_tcp flags S/SA modulate state # for ftp-proxy connections :( pass out quick on $intif inet proto tcp from $intip to any flags S/SA modulate state #----------------------------- # LAN -> LAN pass in quick on $intif inet proto icmp from to $lan_lan_icmp keep state pass in quick on $intif inet proto udp from to port $lan_lan_udp keep state pass in quick on $intif inet proto tcp from to port $lan_lan_tcp flags S/SA modulate state #----------------------------- # INET -> FW # for ftp-proxy connections pass in quick on $extif inet proto tcp from any port 20 to $extip user proxy flags S/SA modulate state #----------------------------- # INET -> LAN #----------------------------- and again : >>The problem is : >>I can pinging to 192.9.9.3 from only one of my stations.(192.168.1.18) >>Other stations show "Request timed out."(192.168.1.19) >>So... is there any problem with nating icmp packects in pf ? >>Or this is just my mistake in pf.conf Thanks in advance Pejman Greg Hennessy wrote: > Hi, > Here is simple explanation : > This is my pf.conf > > extif="{ ed0 }" > extip="{ (ed0) }" > table { 192.168.1.0/24 } > nat on $extif from to any -> $extip pass all The syntax for the nat statement above doesn't look right. > I want to ping from my lan stations to a public dns server > like 192.9.9.3 look at my state table: You need to add a pass rule on the inside interface to make it so. At the very least your packet filtering policy should consist of the following in addition to what you have above. ICMP="inet proto icmp" KS="keep state" intif="dc0" . . set block-policy return # # If using CURRENT otherwise use the pass rule below. set skip on lo0 . . . block log all # on 5.x instead of 'set skip' pass on lo0 all keep state # pass in log quick on $intif $ICMP from $intif:network to !$intif:network icmp-type echoreq $KS Make sure you have routing enabled as appropriate. Greg _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com