Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 1 Oct 2007 17:27:19 +0400
From:      "=?KOI8-R?B?4c7Uz84g5MXSx8Hexdc=?=" <a.v.dergatcheff@gmail.com>
To:        freebsd-pf@freebsd.org
Subject:   FreeBSD 6.2-STABLE + PF + BINAT problem
Message-ID:  <37dd05030710010627h2a52c002i9f7e54b91ea2dfb9@mail.gmail.com>
next in thread | raw e-mail | index | archive | help 
Good time of day!

I have two servers with FreeBSD 6.2-STABLE on it, both with pf compiled in
kernel.
First one works fine. It has 5 ISPs registered in world IP
addresses and serves small LAN with some WEB and FTP servers.
Second one didn't work at all.
It has over 100 ISP IPs, and list of binat rules in config. I don't know
what to do, but this pf.conf works fine under OpenBSD 3.9 for a year!
pfctl -xm && pfctl -si and reading /var/log/messages doesn't clear the
situation.
options gateway_enable="YES" in rc.conf presents.

# cat /etc/pf.conf
ext_if="em0"
cli_if="em1"

adsl_net="192.168.12.0/24"

set timeout { interval 30, frag 90 }
set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
set timeout { udp.first 120, udp.single 60, udp.multiple 120 }
set timeout { icmp.first 80, icmp.error 40 }
set timeout { other.first 60, other.single 30, other.multiple 60 }
set timeout { adaptive.start 0, adaptive.end 0 }
set limit { states 1000000, frags 1000000, src-nodes 1000000 }
set loginterface none
set optimization conservative
set block-policy drop
set require-order yes
set fingerprints "/etc/pf.os"


scrub in all fragment reassemble min-ttl 15 max-mss 2500
scrub all reassemble tcp


altq on $ext_if cbq bandwidth 5.0Mb queue { cli }
queue cli bandwidth 4.0Mb { adsl_ext }
queue adsl_ext bandwidth 100% cbq(default red)

altq on $cli_if cbq bandwidth 5.0Mb queue { adsl_int }
queue adsl_int bandwidth 4.0Mb priority 5 cbq(default red)

binat on $ext_if from 192.168.12.11 to any -> a.b.c.1
<... and so on for over 100 IPs....>
nat on $ext_if from em1:network to any -> { z.x.y.1, z.x.y.2, z.x.y.3}
round-robin sticky-address

table <badhosts> persist
block quick on $ext_if from <badhosts> to any

pass out on $ext_if from $adsl_net to any queue adsl_ext

pass out on $cli_if from any to $adsl_net queue adsl_int
#

As you see, only one rule for filtering, and two rules for shaper.

Where is my error?

Sincerely yours,
Anthony V.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?37dd05030710010627h2a52c002i9f7e54b91ea2dfb9>