Date: Fri, 21 Jan 2005 18:13:10 +0100 From: J65nko BSD <j65nko@gmail.com> To: "Andrew L. Gould" <algould@datawok.com> Cc: freebsd-questions@freebsd.org Subject: Re: 'nat pass' not working in PF Message-ID: <19861fba050121091360fa18d3@mail.gmail.com> In-Reply-To: <200501210820.45744.algould@datawok.com> References: <200501210820.45744.algould@datawok.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 21 Jan 2005 08:20:45 -0600, Andrew L. Gould <algould@datawok.com> wrote:
> I'm running pf in FreeBSD 5.3 on my laptop. The filters for the local
> box work fine.
>
> I'm also working on a pc for a friend; but ran out of ethernet ports in
> my router. This pc doesn't have a wireless adapter; so I adjusted my
> pf rules to use my laptop as a gateway for the pc.
>
> I want my filters to remain intact for the laptop; but I want nat to let
> all the pc's traffic through. (It has it's own firewall.) According
> the OpenBSD pf tutorial, adding the word 'pass' after 'nat' in the nat
> command will allow nat traffic to bypass the filter rules.
> Unfortunately, this doesn't seem to work.
>
> If my default 'block log all' rule is left uncommented, I can only ping
> ip addresses (not host names that require nameservers). No other
> activity passes through. If I comment it out, all traffic passes; but
> my laptop is left unprotected.
>
> Any advice?
>
> The relevant lines from my pf rules follow:
>
> ifdev = "ath0"
> natdev = "fxp0"
> scrub in all no-df
> nat pass on $ifdev from $natdev:network to any -> $ifdev
> icmp_types = "echoreq"
> block log all
> #other filtering rules follow
>
> Thanks,
>
> Andrew Gould
How about something like this:
EXT_IF = "fxp0"
INT_IF = "xl0"
TCP_OUT = "{ ssh, www, https, smtp, pop3 }"
UDP_OUT = "{ domain }"
ICMP_OUT = "echoreq"
scrub in all no-df
nat on $EXT_IF from $INT_IF:network to any -> $EXT_IF
# -- default policy
block log from any to any
# -- LOOPBACK
pass quick on lo0 from any to any
# -- EXTERNAL
# -- tcp
pass out quick on $EXT_IF inet proto tcp from any to any port $TCP_OUT
flags S/SA keep state
# -- udp
pass out quick on $EXT_IF inet proto udp from any to any port $UDP_OUT
keep state
# -- icmp
pass out quick on $EXT_IF inet proto icmp from any to any icmp-type
$ICMP_OUT keep state
# -- INTERNAL
pass on $INT_IF from any to any
=Adriaan==
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19861fba050121091360fa18d3>