From owner-freebsd-pf@FreeBSD.ORG Tue Oct 19 14:27:19 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 417F1106566B for ; Tue, 19 Oct 2010 14:27:19 +0000 (UTC) (envelope-from kevin.wilcox@gmail.com) Received: from mail-gx0-f182.google.com (mail-gx0-f182.google.com [209.85.161.182]) by mx1.freebsd.org (Postfix) with ESMTP id 004628FC16 for ; Tue, 19 Oct 2010 14:27:18 +0000 (UTC) Received: by gxk3 with SMTP id 3so641747gxk.13 for ; Tue, 19 Oct 2010 07:27:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:date:message-id :subject:from:to:content-type; bh=HHSpmrlA3+pwwcDWTxOjO+MXbt3oS76IvfEDRZtVpis=; b=la/2nmlB/s+2FfkbnNYdYX731MmYqCVZKX11XTMi4+Xw6NW5pAw5mSCxjexsHvY3BQ z0rbP+16HMun4Wo1gn8U4lkanC/yk28IpmtZcWDT/9uX0e4MlIqCeRZ5/l4hJGxZBB9Y uH2AiOc7V/7K4OG7mLKSkgrzHFbvbhWEb5Ocs= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=Y5/P5LK1yIToemomrUEM9racr5/Ry86AEJsZEyoMG9nuVvSRwrqIXxCBgAEUYRDjoJ +FpN+n9MIvQ8RSdz7jUkLl82CBzBfcJaznWvsmXogdJfQHeLrOJJYT3RiC+HOYoO3Ugd vD283jneRaNy1KjyQxOv2yZpJDGmHZqMWQg7k= MIME-Version: 1.0 Received: by 10.90.65.2 with SMTP id n2mr2125397aga.119.1287497103091; Tue, 19 Oct 2010 07:05:03 -0700 (PDT) Received: by 10.90.10.19 with HTTP; Tue, 19 Oct 2010 07:05:02 -0700 (PDT) Date: Tue, 19 Oct 2010 10:05:02 -0400 Message-ID: From: Kevin Wilcox To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=UTF-8 Subject: pf + NAT + log X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Oct 2010 14:27:19 -0000 Hi everyone. I sent this out to freebsd-questions@ yesterday but haven't had any nibbles. I'm testing NAT on FreeBSD 8.1. My setup is very simple: My workstation -> { internal network switch } -> FreeBSD 8.1routing firewall with squid 3 -> { switch going to Internet } My pf configuration is a bare minimum for passing everything and logging at every stage I can think of. I'll start filtering after I get this sorted out. pf.conf: ======================= ext_if=bge0 int_if=bge1 rdr pass log(all) on $int_if proto tcp from any to any port 80 -> 127.0.0.1 port 3128 nat pass log(all) on $ext_if from $int_if:network to any -> ($ext_if) pass log(all) on $int_if pass log(all) on $ext_if ======================= If my internal workstation is 10.201.201.1, the external interface on my FreeBSD machine is 10.100.100.1 and I ssh to a server at 10.1.1.1, the connection works. On the server I get a connection on port 22 from the FreeBSD router on source port 30000. This is confirmed by netstat and tcpdump on the server. On the workstation, tcpdump and netstat confirm a connection from the workstation to the server; destination port is 22, source port is 10000. On the FreeBSD router, 'pfctl -s s' confirms: all tcp 10.201.201.1:10000 -> 10.100.100.1:30000 -> 10.1.1.1:22 ESTABLISHED:ESTABLISHED Here is where my problem sits. If I do a tcpdump of the pflog, I get an entry from my workstation to the server showing communication from port 10000 to port 22. I get an entry from the FreeBSD router to the server, from port 30000 to port 22. What I don't get, and what I desperately need, is a way to show that the connection from the FreeBSD router to the server is on behalf of my workstation. Have I missed something in the NAT configuration that logs the actual translations? Can you configure pf to log similar to the output of pfctl where it shows something like: