Date: Wed, 19 Jan 2005 18:25:32 +0100 From: Karol Kwiatkowski <freebsd@orchid.homeunix.org> To: Kosta Kilim <kopno@sdf.lonestar.org> Cc: freebsd-questions@freebsd.org Subject: Re: PF and NAT on FreeBSD 5.3 Message-ID: <41EE980C.3010800@orchid.homeunix.org> In-Reply-To: <20050119160627.GB11546@SDF.LONESTAR.ORG> References: <20050119160627.GB11546@SDF.LONESTAR.ORG>
next in thread | previous in thread | raw e-mail | index | archive | help
Kosta Kilim wrote: > Hello, > > I'm trying to setup a PF with NAT for my home network. > > PF is compiled into the kernel(FreeBSD 5.3, fresh cvsup) and working, > I can do pfctl -e|-d|-s just fine. And pflog0 is seen in the > ifconfig's output. > > My IP range is: class C /29 > > I have a ADSL router which works in bridged mode. So I connect to the > ISP, get an static address for the router, then I assign one to the > machine I'd like to act as a firewall from the /29 range. > > So router takes one and the machine take one address from class > C/29. The other address can be ignored. I don't want to use them. > > For the rest of the machines on the network I'd like them to go > through this machine, which I'd like it to do NAT using PF. > > The machine has the IP from the class C /29 range, and 192.168.0.0/27 > on the other NIC. > > So what I'd like to know, is how do I write the rules to perfom > this. I thought that just taking the rules from the first example of > the PF tutorial would do, I changed them slightly to suit my > scenario. But still I can only go to the net with the one machine on > the class C /29 subnet. pf rules looks OK. Wild guess: have you enabled packet forwarding? You can check it with sysctl(8): # sysctl net.inet.ip.forwarding net.inet.ip.forwarding: 1 To enable this at boot time put gateway_enable="YES" in your /etc/rc.conf Also check the handbook (25.2.4 Building a Router chapter): http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-routing.html > Any hints would be gladly received. Thank you for your time. You're welcome (I'm not sure if that helps, though). Regards, Karol > # macros, these are renamed to my NIC names > int_if = "fxp0" > ext_if = "ep0" > > tcp_services = "{ 22 }" > icmp_types = "echoreq" > > priv_nets = "{ 127.0.0.0/8, 192.168.0.0/27 }" > > # options > set block-policy return > set loginterface $ext_if > > # scrub > scrub in all > > # nat > nat on $ext_if from $int_if:network to any -> ($ext_if) > > > # filter rules > block all > > pass quick on lo0 all > > block drop in quick on $ext_if from $priv_nets to any > block drop out quick on $ext_if from any to $priv_nets > > pass in on $ext_if inet proto tcp from any to ($ext_if) \ > port $tcp_services flags S/SA keep state > > pass in inet proto icmp all icmp-type $icmp_types keep state > > pass in on $int_if from $int_if:network to any keep state > pass out on $int_if from any to $int_if:network keep state > > pass out on $ext_if proto tcp all modulate state flags S/SA > pass out on $ext_if proto { udp, icmp } all keep state > > -- Karol Kwiatkowski <freebsd at orchid dot homeunix dot org>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?41EE980C.3010800>