Date: Sat, 23 Jul 2005 00:02:29 -0700 (PDT) From: Pejman Moghadam <d_a_d_a_sh@yahoo.com> To: freebsd-pf@freebsd.org Subject: RE :RE: NAT problem with icmp Message-ID: <20050723070229.25882.qmail@web32402.mail.mud.yahoo.com> In-Reply-To: <20050723035230.38668.qmail@web32411.mail.mud.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
hi i found other issue like this in ipfilter faq (http://www.phildev.net/ipf/IPFprob.html#prob11) : "11. I'm using NAT and I can't ping the same machine on the internet from two different machines on my LAN at the same time : It isn't possible to map ports on ICMP packets. Hence, once a state table entry is set up to a particular target, only one machine can ping that target until the state table entry expires. For TCP and UDP, portmapping allows simultaneous connections to external targets from multiple machines in the LAN." is this also right about pf ? thanks in advance Pejman Moghadam <d_a_d_a_sh@yahoo.com> wrote: Dear Greg According to your guide i change my pf.conf , everything is working very well, but still i can ping a single ip address from only one of my clients, when i stop pinging on that station, an other one begining to ping. please check this out : #----------------------------- # Some definitions extif="{ ed0 }" extip="{ (ed0) }" intif="{ dc0 }" intip="{ (dc0) }" table { 192.168.1.0/24 } cache="192.168.1.1" lan_inet_tcp="{ 80 800 8000 8080 8383 3000 3128 2082 2095 443 21 20 25 110 23 22 5631 554 7070 5050 5001 5100 11999 1863 }" lan_inet_udp="{ 53 161 5632 5000 6970><7170 }" lan_inet_icmp="{ 192.9.9.3 }" fw_inet_tcp="{ 80 800 8000 8080 8383 3000 3128 2082 2095 443 21 20 25 110 23 22 5631 554 7070 5050 5001 5100 11999 1863 }" fw_inet_udp="{ 53 161 5632 5000 6970><7170}" fw_inet_icmp="{ 192.9.9.3 }" lan_fw_tcp="{ 80 22 3128 20 21 8021 }" lan_fw_udp="{ 53 161 }" lan_fw_icmp = "{ self }" fw_lan_tcp="{ 80 21 20 23 22 }" fw_lan_udp="{ 53 161 }" fw_lan_icmp="{ }" lan_lan_tcp="{ 80 20 21 25 110 23 22 5631 }" lan_lan_udp="{ 53 161 5632 }" lan_lan_icmp="{ }" #inet_fw_tcp #inet_fw_udp #inet_fw_icmp #inet_lan_tcp #inet_lan_udp #inet_lan_icmp #----------------------------- # normalization incoming packets scrub in all #----------------------------- # nat nat on $extif from to any -> $extip # ftp redirect for clients behind the firewall rdr on $intif inet proto tcp from to ! port 21 -> $intip port 8021 # http redirect local cache rdr on $intif inet proto tcp from to ! port 80 -> $intip port 3128 # http redirect remote cache #rdr on $intif inet proto tcp from to ! port 80 -> $cache port 3128 #nat on $intif from to $cache -> $intip #----------------------------- # policy block log all # anti spoofing antispoof quick for $intif inet # loopback pass quick on lo0 all #----------------------------- # LAN -> INET pass in quick on $intif inet proto icmp from to $lan_inet_icmp keep state pass in quick on $intif inet proto udp from to any port $lan_inet_udp keep state pass in quick on $intif inet proto tcp from to any port $lan_inet_tcp flags S/SA modulate state #----------------------------- # FW -> INET pass out quick on $extif inet proto icmp from $extip to $fw_inet_icmp keep state pass out quick on $extif inet proto udp from $extip to any port $fw_inet_udp keep state pass out quick on $extif inet proto tcp from $extip to any port $fw_inet_tcp flags S/SA modulate state #----------------------------- # LAN -> FW pass in quick on $intif inet proto icmp from to $lan_fw_icmp keep state pass in quick on $intif inet proto udp from to $intip port $lan_fw_udp keep state pass in quick on $intif inet proto tcp from to $intip port $lan_fw_tcp flags S/SA modulate state #----------------------------- # FW -> LAN pass out quick on $intif inet proto icmp from $intip to $fw_lan_icmp keep state pass out quick on $intif inet proto udp from $intip to any port $fw_lan_udp keep state pass out quick on $intif inet proto tcp from $intip to any port $fw_lan_tcp flags S/SA modulate state # for ftp-proxy connections :( pass out quick on $intif inet proto tcp from $intip to any flags S/SA modulate state #----------------------------- # LAN -> LAN pass in quick on $intif inet proto icmp from to $lan_lan_icmp keep state pass in quick on $intif inet proto udp from to port $lan_lan_udp keep state pass in quick on $intif inet proto tcp from to port $lan_lan_tcp flags S/SA modulate state #----------------------------- # INET -> FW # for ftp-proxy connections pass in quick on $extif inet proto tcp from any port 20 to $extip user proxy flags S/SA modulate state #----------------------------- # INET -> LAN #----------------------------- and again : >>The problem is : >>I can pinging to 192.9.9.3 from only one of my stations.(192.168.1.18) >>Other stations show "Request timed out."(192.168.1.19) >>So... is there any problem with nating icmp packects in pf ? >>Or this is just my mistake in pf.conf Thanks in advance Pejman Greg Hennessy wrote: > Hi, > Here is simple explanation : > This is my pf.conf > > extif="{ ed0 }" > extip="{ (ed0) }" > table { 192.168.1.0/24 } > nat on $extif from to any -> $extip pass all The syntax for the nat statement above doesn't look right. > I want to ping from my lan stations to a public dns server > like 192.9.9.3 look at my state table: You need to add a pass rule on the inside interface to make it so. At the very least your packet filtering policy should consist of the following in addition to what you have above. ICMP="inet proto icmp" KS="keep state" intif="dc0" . . set block-policy return # # If using CURRENT otherwise use the pass rule below. set skip on lo0 . . . block log all # on 5.x instead of 'set skip' pass on lo0 all keep state # pass in log quick on $intif $ICMP from $intif:network to !$intif:network icmp-type echoreq $KS Make sure you have routing enabled as appropriate. Greg _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" --------------------------------- Start your day with Yahoo! - make it your home page
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050723070229.25882.qmail>