From owner-freebsd-pf@FreeBSD.ORG Thu Oct 21 21:07:26 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AF02216A4CE for ; Thu, 21 Oct 2004 21:07:26 +0000 (GMT) Received: from vsmtp2.tin.it (vsmtp2alice.tin.it [212.216.176.142]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3D22743D1D for ; Thu, 21 Oct 2004 21:07:26 +0000 (GMT) (envelope-from rionda@gufi.org) Received: from kaiser.sig11.org (82.52.115.76) by vsmtp2.tin.it (7.0.027) id 4175094F00141F13 for freebsd-pf@freebsd.org; Thu, 21 Oct 2004 23:07:26 +0200 Received: from [127.0.0.1] (localhost [127.0.0.1]) by kaiser.sig11.org (Postfix) with ESMTP id 951FC11C for ; Thu, 21 Oct 2004 23:07:24 +0200 (CEST) From: Matteo Riondato To: freebsd-pf@freebsd.org In-Reply-To: <1415983562.20041021225652@andric.com> References: <1098383388.909.3.camel@kaiser.sig11.org> <643946323.20041021211340@andric.com> <1098391754.909.16.camel@kaiser.sig11.org> <1415983562.20041021225652@andric.com> Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-F20G7WEXN5yOvCKXbAvh" Message-Id: <1098392844.909.34.camel@kaiser.sig11.org> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.4.6 Date: Thu, 21 Oct 2004 23:07:24 +0200 Subject: Re: Another problem with pf.. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: rionda@gufi.org List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Oct 2004 21:07:26 -0000 --=-F20G7WEXN5yOvCKXbAvh Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Thu, 2004-10-21 at 22:56, Dimitry Andric wrote: > On 2004-10-21 at 22:49:14 Matteo Riondato wrote: > Hm, so your rules seem to be okay. Do I miss something, or don't I > see any NAT rule in there? Uh, well, I commented them out because I had to make my lan hosts browsing (and my family happy...) The complete output is this:=20 kaiser# pfctl -n -v -f /etc/pf.conf ext_if =3D "tun0" wifi_if =3D "rl0" eth_if =3D "fxp1" wifi_net =3D "192.168.1.0/27" eth_net =3D "192.168.0.0/29" tcp_services =3D "{ 22, 80, 25, 4660 >< 4683, 6890 >< 6901 }" icmp_types =3D "{ 0, 3, 8, 11 }" scrub in all fragment reassemble nat on tun0 inet from 192.168.1.0/27 to any -> (tun0) round-robin nat on tun0 inet from 192.168.0.0/29 to any -> (tun0) round-robin block drop all pass quick on lo0 all block drop in log quick on ! rl0 inet from 192.168.1.0/24 to any block drop in log quick inet from 192.168.1.1 to any block drop in quick on ! fxp1 inet from 192.168.0.0/24 to any block drop in quick inet from 192.168.0.1 to any pass in on tun0 inet proto tcp from any to 82.52.115.76 port =3D ssh flags S/SA keep state pass in on tun0 inet proto tcp from any to 82.52.115.76 port =3D http flags S/SA keep state pass in on tun0 inet proto tcp from any to 82.52.115.76 port =3D smtp flags S/SA keep state pass in on tun0 inet proto tcp from any to 82.52.115.76 port 4660 >< 4683 flags S/SA keep state pass in on tun0 inet proto tcp from any to 82.52.115.76 port 6890 >< 6901 flags S/SA keep state pass inet proto icmp all icmp-type echorep pass inet proto icmp all icmp-type unreach pass inet proto icmp all icmp-type echoreq pass inet proto icmp all icmp-type timex pass in on rl0 inet from 192.168.1.0/27 to any keep state pass out on rl0 inet from any to 192.168.1.0/27 keep state pass in on fxp1 inet from 192.168.0.0/29 to any keep state pass out on fxp1 inet from any to 192.168.0.0/29 keep state pass in on rl0 inet from 192.168.1.200 to 192.168.1.1 keep state pass out on rl0 inet from 192.168.1.1 to 192.168.1.200 keep state pass out on tun0 proto tcp all flags S/SA modulate state pass out on tun0 proto udp all keep state pass out on tun0 proto icmp all keep state > Next question is: what happens if you manually run /etc/rc.d/pf start > or reload? Rules get loaded. Can this be related to the fact that I use the module and not the in-kernel support? Best Regards --=20 Rionda aka Matteo Riondato GUFI Staff Member (http://www.gufi.org) FreeSBIE Developer (http://www.freesbie.org) BSD-FAQ-it Main Developer (http://utenti.gufi.org/~rionda) Sent from: kaiser.sig11.org running FreeBSD-6.0-CURRENT --=-F20G7WEXN5yOvCKXbAvh Content-Type: application/pgp-signature; name=signature.asc Content-Description: Questa parte del messaggio =?ISO-8859-1?Q?=E8?= firmata -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (FreeBSD) iD8DBQBBeCUL2Mp4pR7Fa+wRAkNtAJ9D0zOO1dQ6YT3NJi0lmXFMBTJDEgCdFxz4 +PrvYsLvymcwCpnsViYLXE8= =oObK -----END PGP SIGNATURE----- --=-F20G7WEXN5yOvCKXbAvh--