Dorian B|ttner wrote:
> Jean-Frangois SIMON schrieb:
> > Hello James,
> > If no output to parse means no errors, and verbose mode
> just repeat all the
> > lines of the pf.conf, then yes it parses.
> >
> > pflog0 keeps silent, nothing in here while trying to
> connect from the subnet
> > to the internet.
> >
> > 2009/5/10 James Records <james.reco...@gmail.com>
> >
> >
> >> Does your pf.conf parse? Try pfctl -nf /etc/pf.conf if
> it's not parsing it
> >> will not load and behave as you describe also tcpdump on the pflog
> >>
> > interface
> >
> >> as well to give yourself another data point
> >>
> >> J
> >>
> >> Sent from my iPhone
> >>
> >> On May 9, 2009, at 3:05 PM, Jean-Frangois SIMON
> <jfsimon1...@gmail.com>
> >> wrote:
> >>
> >> Sorry for forgotting the rest, here you are :
> >>
> >>> ext_if is actlually working, configures to an adsl box
> using DHCP and
> >>> actually lynx displays pages.
> >>>
> >>> int_if is the local network that I want to go through
> openbsd box to
> >>> access
> >>> to internet so I can filter with pf.
> >>>
> >>> The configuration is a standard nat rule + packet
> forwarding between the
> >>> two
> >>> interfaces so called em0 and em1 resp ext_if and int_if.
> >>>
> >>> As indicated before, I have pf enables, inet forward
> lines uncommented in
> >>> sysctl.con
> >>>
> >>> Packets are received on int_if but not forwarded to ext_if.
> >>>
> >>> Did I miss something ? Here below pf.conf
> >>>
> >>> 2009/5/9 Robert <rob...@openbsd.pap.st>
> >>>
> >>> On Sat, 9 May 2009 22:52:32 +0200
> >>>
> >>>> Jean-Frangois SIMON <jfsimon1...@gmail.com> wrote:
> >>>> # cat /etc/pf.conf
> >>>> # $OpenBSD: pf.conf,v 1.38 2009/02/23 01:18:36
> deraadt Exp $
> >>>> #
> >>>> # See pf.conf(5) for syntax and examples; this sample
> ruleset uses
> >>>> # require-order to permit mixing of NAT/RDR and filter rules.
> >>>> # Remember to set net.inet.ip.forwarding=1 and/or
> >>>> net.inet6.ip6.forwarding=1
> >>>> # in /etc/sysctl.conf if packets are to be forwarded
> between interfaces.
> >>>>
> >>>> ext_if="em0"
> >>>> int_if="em1"
> >>>>
> >>>> set loginterface $ext_if
> >>>> set require-order no
> >>>> set skip on lo
> >>>> scrub in all
> >>>>
> >>>> # NAT/filter rules and anchors for ftp-proxy(8)
> >>>> #nat-anchor "ftp-proxy/*"
> >>>> #rdr-anchor "ftp-proxy/*"
> >>>> nat on $ext_if from ($int_if:network) -> ($ext_if)
> >>>> #rdr pass on ! egress proto tcp to port ftp -> 127.0.0.1
> port 8021
> >>>> #anchor "ftp-proxy/*"
> >>>> #pass out proto tcp from $proxy to any port ftp
> >>>>
> >>>> # NAT/filter rules and anchors for relayd(8)
> >>>> #rdr-anchor "relayd/*"
> >>>> #anchor "relayd/*"
> >>>>
> >>>> # NAT rules and anchors for spamd(8)
> >>>> #table <spamd-white> persist
> >>>> #table <nospamd> persist file "/etc/mail/nospamd"
> >>>> #no rdr on egress proto tcp from <nospamd> to any port smtp
> >>>> #no rdr on egress proto tcp from <spamd-white> to any port smtp
> >>>> #rdr pass on egress proto tcp from any to any port smtp
> -> 127.0.0.1 port
> >>>> spamd
> >>>>
> >>>> #block in
> >>>> pass in
> >>>> pass out
> >>>>
> >>>> #pass in on $int_if proto tcp to any port 80
> >>>>
> >>>> #block in quick from urpf-failed to any # use with care
> >>>>
> >>>> # By default, do not permit remote connections to X11
> >>>> block in on ! lo0 proto tcp from any to any port 6000
> >>>>
> >>>> antispoof for ext_if
> >>>>
> >>>> Hello,
> >>>>
> >>>>> Please can you help me with this :
> >>>>>
> >>>>> I just installed the 4.5 OpenBSD, set up the inet forwarding for
> >>>>> unicast and multicase, include the standard NAT rule in
> pf.conf such
> >>>>> as : nat on $ext_if from ($int_if:network) -> ($ext_if)
> >>>>> enable pf
> >>>>> check with pfctl -s nat that the correct rule is set.
> >>>>>
> >>>>> That does not work, with tcpdump i see that packets are not
> >>>>> forwarded, i see them on int_if but not on ext_if.
> >>>>>
> >>>>> Can you give me some help to find out where the problem is ?
> >>>>>
> >>>>> Thanks.
> >>>>>
> >>>>>
> >>>> Because you dont have a pass rule they get blocked?
> >>>> Guessing only goes so far.
> >>>>
> >>>> Tell us what you want to do.
> >>>> Tell us what you tried to get it working.
> >>>> Tell us what is in your relevant configs.
> >>>>
> >>>> Perhaps then someone can tell you what to do.
> >>>>
> >>>> - Robert
> >>>>
> Do you have sysctl net.inet.ip.forwarding=1? As described on
> top of pf.conf?
>
Have you booted since?
