Date: Thu, 25 May 2006 14:31:11 +0200 From: peter@bgnett.no (Peter N. M. Hansteen) To: freebsd-pf@freebsd.org Subject: Re: pf configuration de Argentina Message-ID: <86slmy1e28.fsf@amidala.datadok.no> In-Reply-To: <4474CE3D.8050702@clacso.edu.ar> (gus@clacso.edu.ar's message of "Wed, 24 May 2006 18:21:01 -0300") References: <4474CE3D.8050702@clacso.edu.ar>
next in thread | previous in thread | raw e-mail | index | archive | help
gus <gus@clacso.edu.ar> writes:
> but now the problem is pf....
> I had change the line but , when triet of connect my machine
> 168.96.200.196 ...to 6K....
> These not see these band , and so access to 100 K....
your rule set doesn't do a whole lot - if you remove the lines wihch are
commented out, you get
-- [ snip ] --
ext_if="xl0" # replace with actual external interface name i.e., dc0
int_if="xl1" # replace with actual internal interface name i.e., dc1
internal_net="168.96.200.0/24"
table <lan> { 168.96.200.87, 168.96.200.8, 168.96.200.55, 168.96.200.196 }
set loginterface $int_if
set fingerprints "/etc/pf.os"
altq on $int_if bandwidth 100Mb cbq queue { dflt_in, uext1_in }
altq on $ext_if bandwidth 600Kb cbq queue { dflt_out }
queue dflt_in cbq (default) bandwidth 60%
queue dflt_out cbq (default)
queue uext1_in bandwidth 6Kb
uext1="168.96.200.196"
nat on $ext_if from <lan> to any -> ($ext_if)
pass in on $int_if from $uext1 to any queue uext1_in
-- [ unsnip ] --
(except possibly your lack of keep state and friends may be what trips
you up since nat really needs state) which makes me suspect that the
problem lies elsewhere. Have you enabled gatewaying, for example? Check
the output from
$ sysctl net.inet.ip.forwarding
If it is net.inet.ip.forwarding: 0, that's where your problem is located.
Next, I would try to get rid of the altq parts until you have useful
filtering and NAT in place.
One suggestion (untested but fairly trivial) for a starting point would
be
ext_if="xl0" # replace with actual external interface name i.e., dc0
int_if="xl1" # replace with actual internal interface name i.e., dc1
internal_net="168.96.200.0/24"
table <lan> { 168.96.200.87, 168.96.200.8, 168.96.200.55, 168.96.200.196 }
nat on $ext_if from $localnet to any -> ($ext_if)
block all
pass from <lan> to any keep state
You may also want to take a peek at my PF tutorial located at
http://www.bgnett.no/~peter/pf/, updated with some wart removal after
BSDCan and SANE.
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/
"First, we kill all the spammers" The Usenet Bard, "Twice-forwarded tales"
20:11:56 delilah spamd[26905]: 146.151.48.74: disconnected after 36099 seconds.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?86slmy1e28.fsf>