From owner-freebsd-pf@FreeBSD.ORG Sat Feb 13 20:56:58 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9F8E81065672 for ; Sat, 13 Feb 2010 20:56:58 +0000 (UTC) (envelope-from freebsd-pf@pp.dyndns.biz) Received: from proxy1.bredband.net (proxy1.bredband.net [195.54.101.71]) by mx1.freebsd.org (Postfix) with ESMTP id 564468FC14 for ; Sat, 13 Feb 2010 20:56:57 +0000 (UTC) Received: from ipb1.telenor.se (195.54.127.164) by proxy1.bredband.net (7.3.140.3) id 4B62ECEA0098A51C for freebsd-pf@freebsd.org; Sat, 13 Feb 2010 21:36:55 +0100 X-SMTPAUTH-B2: X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: Als/ALKcdktV4js3PGdsb2JhbACHWZNGDAEBAQE3LroZhFsE X-IronPort-AV: E=Sophos;i="4.49,468,1262559600"; d="scan'208";a="36882461" Received: from c-373be255.107-1-64736c10.cust.bredbandsbolaget.se (HELO gatekeeper.pp.dyndns.biz) ([85.226.59.55]) by ipb1.telenor.se with ESMTP; 13 Feb 2010 21:36:55 +0100 Received: from [192.168.69.67] (phobos [192.168.69.67]) by gatekeeper.pp.dyndns.biz (8.14.3/8.14.3) with ESMTP id o1DKaqaD036868; Sat, 13 Feb 2010 21:36:53 +0100 (CET) (envelope-from freebsd-pf@pp.dyndns.biz) Message-ID: <4B770D64.10404@pp.dyndns.biz> Date: Sat, 13 Feb 2010 21:36:52 +0100 From: =?ISO-8859-1?Q?Morgan_Wesstr=F6m?= User-Agent: Thunderbird 2.0.0.23 (X11/20100118) MIME-Version: 1.0 To: Alex Teslik References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: pf: nat works, ip blocking and logging do not X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 13 Feb 2010 20:56:58 -0000 > nat works great. > > Unfortunately, I can still go to 11.11.11.111 or 22.22.22.222 with no > blocking and no logging on /var/log/pflog. > > When I tcpdump listen to pflog0 there are no entries when I go to those ips. > What am I doing wrong here that is preventing logging and blocking from > working? > > [gouda:root]/root# tcpdump -vvveni pflog0 > tcpdump: WARNING: pflog0: no IPv4 address assigned > tcpdump: listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture > size 96 bytes > > [gouda:root]/root# cat /etc/pf.conf > ext_if="em0" > int_if="sk0" > set skip on lo0 > scrub in > nat on $ext_if from $int_if:network to any -> ($ext_if) > block drop in log (all) quick on $ext_if from { 11.11.11.111, 22.22.22.222 } > to any > block drop out log (all) quick on $ext_if from { 11.11.11.111, 22.22.22.222 > } to any > pass in all > pass out all > You have to reverse the order of the source and destination in your outgoing rule. It should be: block drop out log (all) quick on $ext_if from any to { 11.11.11.111, 22.22.22.222 } /Morgan