Date: Sat, 13 Feb 2010 21:36:52 +0100 From: =?ISO-8859-1?Q?Morgan_Wesstr=F6m?= <freebsd-pf@pp.dyndns.biz> To: Alex Teslik <whereisalext@gmail.com> Cc: freebsd-pf@freebsd.org Subject: Re: pf: nat works, ip blocking and logging do not Message-ID: <4B770D64.10404@pp.dyndns.biz> In-Reply-To: <d24a9c161002131005h50d6dc7ie129f9b74eae55c@mail.gmail.com> References: <d24a9c161002131005h50d6dc7ie129f9b74eae55c@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> nat works great.
>
> Unfortunately, I can still go to 11.11.11.111 or 22.22.22.222 with no
> blocking and no logging on /var/log/pflog.
>
> When I tcpdump listen to pflog0 there are no entries when I go to those ips.
> What am I doing wrong here that is preventing logging and blocking from
> working?
>
> [gouda:root]/root# tcpdump -vvveni pflog0
> tcpdump: WARNING: pflog0: no IPv4 address assigned
> tcpdump: listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture
> size 96 bytes
>
> [gouda:root]/root# cat /etc/pf.conf
> ext_if="em0"
> int_if="sk0"
> set skip on lo0
> scrub in
> nat on $ext_if from $int_if:network to any -> ($ext_if)
> block drop in log (all) quick on $ext_if from { 11.11.11.111, 22.22.22.222 }
> to any
> block drop out log (all) quick on $ext_if from { 11.11.11.111, 22.22.22.222
> } to any
> pass in all
> pass out all
>
You have to reverse the order of the source and destination in your
outgoing rule. It should be:
block drop out log (all) quick on $ext_if from any to { 11.11.11.111,
22.22.22.222 }
/Morgan
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4B770D64.10404>