Date: Fri, 5 Feb 2010 15:53:14 -0700 From: Maurice <mauduro@gmail.com> To: freebsd-pf@freebsd.org Subject: using pf to NAT with only one NIC Message-ID: <d3e0b6a01002051453o377d6e45p3b3991552f37310c@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Hi,
I have been looking for a couple days now, with no luck, for some direction
as to whether I can successfully configure my freebsd to NAT with only one
NIC. This is because I am setting up my system to jail my webserver, and I
don't think I can get it to work without NATting it. If you have an
alternate solution that would be great too. This is what my pf.conf looks
like right now:
# $FreeBSD: src/share/examples/pf/pf.conf,v 1.1.2.1.6.1 2009/04/15
03:14:26 kensmith Exp $
# $OpenBSD: pf.conf,v 1.34 2007/02/24 19:30:59 millert Exp $
#
# See pf.conf(5) and /usr/share/examples/pf for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.
block in all
block out all
ext_if="fxp0"
#int_if="int0"
all_if="{fxp0, lo0}"
#Internal network subnet
int_net="10.0.0.0/32"
#name and IP of webserver
APACHE="10.0.0.1"
#table <spamd-white> persist
set skip on lo
scrub in
#nat-anchor "ftp-proxy/*"
#rdr-anchor "ftp-proxy/*"
#nat on $ext_if from !($ext_if) -> ($ext_if:0)
#rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
#no rdr on $ext_if proto tcp from <spamd-white> to any port smtp
#rdr pass on $ext_if proto tcp from any to any port smtp \
# -> 127.0.0.1 port spamd
#anchor "ftp-proxy/*"
#pass out
#pass quick on $int_if no state
#antispoof quick for { lo $int_if }
block in quick from urpf-failed
pass in on $ext_if proto tcp to ($ext_if) port ssh synproxy state
rdr on $all_if proto tcp from any to fxp0 port 80 -> $APACHE port 80
nat on $ext_if from $APACHE to any -> fxp0
#pass in log on $ext_if proto tcp to ($ext_if) port smtp
#pass out log on $ext_if proto tcp from ($ext_if) to port smtp
That doesn't seem to be doing the trick, since I can't ping and DNS won't
resolve anything from within the jail (APACHE). I am going off some examples
I found that would seem to suggest it is possible with only one NIC, but I
can't seem to get it to work. Any help/advice would be greatly appreciated.
thanks,
Maurice
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?d3e0b6a01002051453o377d6e45p3b3991552f37310c>