From owner-freebsd-bugs@FreeBSD.ORG Sat Dec 29 19:10:01 2007 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 645EF16A420 for ; Sat, 29 Dec 2007 19:10:01 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 3FA7513C467 for ; Sat, 29 Dec 2007 19:10:01 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id lBTJA1Zo060024 for ; Sat, 29 Dec 2007 19:10:01 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id lBTJA1Eg060023; Sat, 29 Dec 2007 19:10:01 GMT (envelope-from gnats) Resent-Date: Sat, 29 Dec 2007 19:10:01 GMT Resent-Message-Id: <200712291910.lBTJA1Eg060023@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Faysal Banna Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1584216A418 for ; Sat, 29 Dec 2007 19:09:34 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21]) by mx1.freebsd.org (Postfix) with ESMTP id 0381413C448 for ; Sat, 29 Dec 2007 19:09:34 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (localhost [127.0.0.1]) by www.freebsd.org (8.14.2/8.14.2) with ESMTP id lBTJ8qhh032657 for ; Sat, 29 Dec 2007 19:08:52 GMT (envelope-from nobody@www.freebsd.org) Received: (from nobody@localhost) by www.freebsd.org (8.14.2/8.14.1/Submit) id lBTJ8qwD032656; Sat, 29 Dec 2007 19:08:52 GMT (envelope-from nobody) Message-Id: <200712291908.lBTJ8qwD032656@www.freebsd.org> Date: Sat, 29 Dec 2007 19:08:52 GMT From: Faysal Banna To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-3.1 Cc: Subject: misc/119139: FreeBSD router PF nating internal to external network not working X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 29 Dec 2007 19:10:01 -0000 >Number: 119139 >Category: misc >Synopsis: FreeBSD router PF nating internal to external network not working >Confidential: no >Severity: serious >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sat Dec 29 19:10:00 UTC 2007 >Closed-Date: >Last-Modified: >Originator: Faysal Banna >Release: FreeBSD 7 beta4 >Organization: comnet >Environment: FreeBSD FBSD.comnet.net.lb 7.0-BETA4 FreeBSD 7.0-BETA4 #0: Fri Dec 28 16:50:46 EET 2007 root@FBSD.comnet.net.lb:/usr/obj/usr/src/sys/FAYSAL i386 >Description: Good Day. I am trying to use FreeBSD as a router/nat box i set up PF (packet filter ) as described in the manual and did all whats necessary to the kernel enabled the pf in /etc/rc.conf ..... after like three hours of struggeling to make the system work as a router/nat box i failed .. i was able to connect to the box ssh to it from both network cards i have no problem with that .. and i was able to tcpdump both network cards .... the system is connected to two network cards rl0 and rl1 respectively In the PF pfctl interface i only to test did this echo "block quick all " | pfctl -f - and for my surprise i was always able to connect to the box and it didn't block me out which looks like the pf is not reached or touched ..... here is a list check it out this should illustrate what i mean FBSD# ifconfig rl0: flags=8843 metric 0 mtu 1500 options=8 ether 00:40:f4:eb:67:33 inet 192.168.151.19 netmask 0xffffff00 broadcast 192.168.151.255 media: Ethernet autoselect (100baseTX ) status: active rl1: flags=8843 metric 0 mtu 1500 options=8 ether 00:40:f4:eb:5d:dd inet 172.16.55.1 netmask 0xffffff00 broadcast 172.16.55.255 media: Ethernet autoselect (none) status: no carrier plip0: flags=108810 metric 0 mtu 1500 pfsync0: flags=0<> metric 0 mtu 1460 syncpeer: 224.0.0.240 maxupd: 128 pflog0: flags=141 metric 0 mtu 33204 lo0: flags=8049 metric 0 mtu 16384 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6 inet6 ::1 prefixlen 128 inet 127.0.0.1 netmask 0xff000000 FBSD# echo "block quick all " | pfctl -f - FBSD# pfctl -sa -v FILTER RULES: block drop quick all [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 1504 ] No queue in use INFO: Status: Disabled Debug: Urgent Hostid: 0x2df50bf7 Checksum: 0xf67edfbb4f38672f79691ea6b22dd653 State Table Total Rate current entries 0 searches 0 0.0/s inserts 0 0.0/s removals 0 0.0/s Source Tracking Table current entries 0 searches 0 0.0/s inserts 0 0.0/s removals 0 0.0/s Counters match 0 0.0/s bad-offset 0 0.0/s fragment 0 0.0/s short 0 0.0/s normalize 0 0.0/s memory 0 0.0/s bad-timestamp 0 0.0/s congestion 0 0.0/s ip-option 0 0.0/s proto-cksum 0 0.0/s state-mismatch 0 0.0/s state-insert 0 0.0/s state-limit 0 0.0/s src-limit 0 0.0/s synproxy 0 0.0/s Limit Counters max states per rule 0 0.0/s max-src-states 0 0.0/s max-src-nodes 0 0.0/s max-src-conn 0 0.0/s max-src-conn-rate 0 0.0/s overload table insertion 0 0.0/s overload flush states 0 0.0/s TIMEOUTS: tcp.first 120s tcp.opening 30s tcp.established 86400s tcp.closing 900s tcp.finwait 45s tcp.closed 90s tcp.tsdiff 30s udp.first 60s udp.single 30s udp.multiple 60s icmp.first 20s icmp.error 10s other.first 60s other.single 30s other.multiple 60s frag 30s interval 10s adaptive.start 6000 states adaptive.end 12000 states src.track 0s LIMITS: states hard limit 10000 src-nodes hard limit 10000 frags hard limit 5000 tables hard limit 1000 table-entries hard limit 200000 OS FINGERPRINTS: 696 fingerprints loaded FBSD# who am i root ttyp0 Dec 29 22:43 (192.168.151.34) FBSD# Regards Faysal Banna >How-To-Repeat: >Fix: >Release-Note: >Audit-Trail: >Unformatted: