Date: Fri, 16 Nov 2007 15:20:34 +0200 From: "N. Ersen SISECI" <siseci@gmail.com> To: freebsd-pf@FreeBSD.org Subject: Nat Pass and PF Default Rule Message-ID: <473D9922.4010207@gmail.com>
next in thread | raw e-mail | index | archive | help
Hi, I changed PF's default rule in kernel (pf_ioctl.h). And than i restarted my server. After that server started successfully and then internal network (behind the NAT) wasn't access the external network. Rules: pass in log quick all pass out log quick all Nat rule is: nat pass on em0 inet all -> 192.168.1.1 I changed filtering and NAT rules like these. But it's not working. And then i added log line for default rule in pf_ioctl.h pf_default_rule.log = PF_LOG; And then i see the blocking logs on pflog0 with the same rule set. 2007-11-16 15:03:19.291742 rule 4294967295/0(match): block out on em0: .... ICMP ... 192.168.1.1 > 192.168.1.36: ICMP echo request So, I removed the pass option in the nat rule and suddenly started to working. >From the Man page of pf.conf: Packets that match a translation rule are only automatically passed if the /pass/ modifier is given, otherwise they are still subject to /block/ and /pass/ rules. But, i think it's not working as desribed above. Nat's pass option depends the PF's default rule in the kernel. Is there anything i missed or wrong? Thanks. N. Ersen SISECI http://www.enderunix.org EnderUNIX SDT @ Turkey
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?473D9922.4010207>