From owner-freebsd-pf@FreeBSD.ORG Mon Oct 1 13:52:04 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id ECA4616A41A for ; Mon, 1 Oct 2007 13:52:04 +0000 (UTC) (envelope-from a.v.dergatcheff@gmail.com) Received: from wr-out-0506.google.com (wr-out-0506.google.com [64.233.184.226]) by mx1.freebsd.org (Postfix) with ESMTP id 8FD6913C465 for ; Mon, 1 Oct 2007 13:52:04 +0000 (UTC) (envelope-from a.v.dergatcheff@gmail.com) Received: by wr-out-0506.google.com with SMTP id 70so1782700wra for ; Mon, 01 Oct 2007 06:52:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type; bh=w18pkQaALsbALQq+E6KETMuPfJrrf8ARZIw1Ch5IOkM=; b=ocrhsf6+YkPJqNPjG0eONl/cFkPMlJeMW4PW9WIquLCW0wAMjtvtKNeMNehGLiCxd+FAKBXpZEkrh3orB+C0YjwsnGLGv/J8k/bwaU2STEMPytmfOTeiLKDMw5nOLhDx1YLZSHesxIoBd0vkTE4jj1D0d6t4CCdIhuq0C+pUFUY= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type; b=qn1J4dv5sQgXG2cpn2Yf+9y0FXavIYGMMegOHHZqbLYtZDQH4M0lX7CAvwRBqui8iCr/G/ly2YMGQNhrkOPEYpG3kIhwKXN+GCa+vQOLvMXs1XCdyRylpicsZ1fl76vB/UWUJOSPJ2nk2Ht2V6ALy1whZeT/VMInJ+qRQsTyfL8= Received: by 10.90.91.14 with SMTP id o14mr458781agb.1191245239775; Mon, 01 Oct 2007 06:27:19 -0700 (PDT) Received: by 10.90.79.16 with HTTP; Mon, 1 Oct 2007 06:27:19 -0700 (PDT) Message-ID: <37dd05030710010627h2a52c002i9f7e54b91ea2dfb9@mail.gmail.com> Date: Mon, 1 Oct 2007 17:27:19 +0400 From: "=?KOI8-R?B?4c7Uz84g5MXSx8Hexdc=?=" To: freebsd-pf@freebsd.org MIME-Version: 1.0 X-Mailman-Approved-At: Mon, 01 Oct 2007 16:04:00 +0000 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: FreeBSD 6.2-STABLE + PF + BINAT problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Oct 2007 13:52:05 -0000 Good time of day! I have two servers with FreeBSD 6.2-STABLE on it, both with pf compiled in kernel. First one works fine. It has 5 ISPs registered in world IP addresses and serves small LAN with some WEB and FTP servers. Second one didn't work at all. It has over 100 ISP IPs, and list of binat rules in config. I don't know what to do, but this pf.conf works fine under OpenBSD 3.9 for a year! pfctl -xm && pfctl -si and reading /var/log/messages doesn't clear the situation. options gateway_enable="YES" in rc.conf presents. # cat /etc/pf.conf ext_if="em0" cli_if="em1" adsl_net="192.168.12.0/24" set timeout { interval 30, frag 90 } set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 } set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 } set timeout { udp.first 120, udp.single 60, udp.multiple 120 } set timeout { icmp.first 80, icmp.error 40 } set timeout { other.first 60, other.single 30, other.multiple 60 } set timeout { adaptive.start 0, adaptive.end 0 } set limit { states 1000000, frags 1000000, src-nodes 1000000 } set loginterface none set optimization conservative set block-policy drop set require-order yes set fingerprints "/etc/pf.os" scrub in all fragment reassemble min-ttl 15 max-mss 2500 scrub all reassemble tcp altq on $ext_if cbq bandwidth 5.0Mb queue { cli } queue cli bandwidth 4.0Mb { adsl_ext } queue adsl_ext bandwidth 100% cbq(default red) altq on $cli_if cbq bandwidth 5.0Mb queue { adsl_int } queue adsl_int bandwidth 4.0Mb priority 5 cbq(default red) binat on $ext_if from 192.168.12.11 to any -> a.b.c.1 <... and so on for over 100 IPs....> nat on $ext_if from em1:network to any -> { z.x.y.1, z.x.y.2, z.x.y.3} round-robin sticky-address table persist block quick on $ext_if from to any pass out on $ext_if from $adsl_net to any queue adsl_ext pass out on $cli_if from any to $adsl_net queue adsl_int # As you see, only one rule for filtering, and two rules for shaper. Where is my error? Sincerely yours, Anthony V.