Date: Sat, 29 Dec 2007 19:08:52 GMT From: Faysal Banna <degreane@gmail.com> To: freebsd-gnats-submit@FreeBSD.org Subject: misc/119139: FreeBSD router PF nating internal to external network not working Message-ID: <200712291908.lBTJ8qwD032656@www.freebsd.org> Resent-Message-ID: <200712291910.lBTJA1Eg060023@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 119139 >Category: misc >Synopsis: FreeBSD router PF nating internal to external network not working >Confidential: no >Severity: serious >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sat Dec 29 19:10:00 UTC 2007 >Closed-Date: >Last-Modified: >Originator: Faysal Banna >Release: FreeBSD 7 beta4 >Organization: comnet >Environment: FreeBSD FBSD.comnet.net.lb 7.0-BETA4 FreeBSD 7.0-BETA4 #0: Fri Dec 28 16:50:46 EET 2007 root@FBSD.comnet.net.lb:/usr/obj/usr/src/sys/FAYSAL i386 >Description: Good Day. I am trying to use FreeBSD as a router/nat box i set up PF (packet filter ) as described in the manual and did all whats necessary to the kernel enabled the pf in /etc/rc.conf ..... after like three hours of struggeling to make the system work as a router/nat box i failed .. i was able to connect to the box ssh to it from both network cards i have no problem with that .. and i was able to tcpdump both network cards .... the system is connected to two network cards rl0 and rl1 respectively In the PF pfctl interface i only to test did this echo "block quick all " | pfctl -f - and for my surprise i was always able to connect to the box and it didn't block me out which looks like the pf is not reached or touched ..... here is a list check it out this should illustrate what i mean FBSD# ifconfig rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=8<VLAN_MTU> ether 00:40:f4:eb:67:33 inet 192.168.151.19 netmask 0xffffff00 broadcast 192.168.151.255 media: Ethernet autoselect (100baseTX <full-duplex>) status: active rl1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=8<VLAN_MTU> ether 00:40:f4:eb:5d:dd inet 172.16.55.1 netmask 0xffffff00 broadcast 172.16.55.255 media: Ethernet autoselect (none) status: no carrier plip0: flags=108810<POINTOPOINT,SIMPLEX,MULTICAST,NEEDSGIANT> metric 0 mtu 1500 pfsync0: flags=0<> metric 0 mtu 1460 syncpeer: 224.0.0.240 maxupd: 128 pflog0: flags=141<UP,RUNNING,PROMISC> metric 0 mtu 33204 lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6 inet6 ::1 prefixlen 128 inet 127.0.0.1 netmask 0xff000000 FBSD# echo "block quick all " | pfctl -f - FBSD# pfctl -sa -v FILTER RULES: block drop quick all [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 1504 ] No queue in use INFO: Status: Disabled Debug: Urgent Hostid: 0x2df50bf7 Checksum: 0xf67edfbb4f38672f79691ea6b22dd653 State Table Total Rate current entries 0 searches 0 0.0/s inserts 0 0.0/s removals 0 0.0/s Source Tracking Table current entries 0 searches 0 0.0/s inserts 0 0.0/s removals 0 0.0/s Counters match 0 0.0/s bad-offset 0 0.0/s fragment 0 0.0/s short 0 0.0/s normalize 0 0.0/s memory 0 0.0/s bad-timestamp 0 0.0/s congestion 0 0.0/s ip-option 0 0.0/s proto-cksum 0 0.0/s state-mismatch 0 0.0/s state-insert 0 0.0/s state-limit 0 0.0/s src-limit 0 0.0/s synproxy 0 0.0/s Limit Counters max states per rule 0 0.0/s max-src-states 0 0.0/s max-src-nodes 0 0.0/s max-src-conn 0 0.0/s max-src-conn-rate 0 0.0/s overload table insertion 0 0.0/s overload flush states 0 0.0/s TIMEOUTS: tcp.first 120s tcp.opening 30s tcp.established 86400s tcp.closing 900s tcp.finwait 45s tcp.closed 90s tcp.tsdiff 30s udp.first 60s udp.single 30s udp.multiple 60s icmp.first 20s icmp.error 10s other.first 60s other.single 30s other.multiple 60s frag 30s interval 10s adaptive.start 6000 states adaptive.end 12000 states src.track 0s LIMITS: states hard limit 10000 src-nodes hard limit 10000 frags hard limit 5000 tables hard limit 1000 table-entries hard limit 200000 OS FINGERPRINTS: 696 fingerprints loaded FBSD# who am i root ttyp0 Dec 29 22:43 (192.168.151.34) FBSD# Regards Faysal Banna >How-To-Repeat: >Fix: >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200712291908.lBTJ8qwD032656>