pf nat with pool addresses
Hi all, I am trying to use pf nat rules with pool support on FreeBsd 8.0, working together with ipfw as the main firewall. According to the natting concepts i faced in manuals and docs, nat concept is to map the source address to the natted address when sending the packets from that source and then map the destination address of the related reply packets. but when I define pf nat rules with a pool of IP addresses not available on the outside interface ip addresses, the outgoing traffic is natted to one of the pool addresses but the response is not received via that interface so the pf can map the destination address to the real one. here is one of my configs i used during my tests: *configurations:* *pf.conf:* nat on eth1 from { 11.11.11.0/24} to any - {172.16.10.1,172.16.10.2,172.16.10.3,172.16.10.4,172.16.10.5,172.16.10.6,172.16.10.7,172.16.10.8,172.16.10.9,172.16.10.10} main system configurations: eth0: 11.11.11.1 eth1: 172.16.10.64 system A: directly connected to eth0- 11.11.11.11 system B: directly connected to eth1- 172.16.10.65 in this configs the dafult route of system A and system B are the middle systems connected ip address. as mentioned, when systemA pings systemB, the ping requests are natted to 172.16.10.1 and received at systemB but systemB doesn't send icmp replies because it doesn't know to whom it should send the replies (no answer to system B 's ARP requests about who has the natted IP). now my question is, isn't it the pf nat responsibilty to manage this condition and send the ARP replies to SystemB? or, are my configs wrong? or i misunderstood the nat concepts? any ideas or helps are really appriciated as i have to set this nat on my main system, asap. Thanks in advance. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
pf + NAT + log
Hi everyone. This is probably better suited for freebsd-pf@ but I'll give it a go before spamming YAML. I'm testing NAT on FreeBSD 8.1. My setup is very simple: My workstation - { internal network switch } - FreeBSD 8.1routing firewall with squid 3 - { switch going to Internet } My pf configuration is a bare minimum for passing everything and logging at every stage I can think of. I'll start filtering after I get this sorted out. pf.conf: === ext_if=bge0 int_if=bge1 rdr pass log(all) on $int_if proto tcp from any to any port 80 - 127.0.0.1 port 3128 nat pass log(all) on $ext_if from $int_if:network to any - ($ext_if) pass log(all) on $int_if pass log(all) on $ext_if === If my internal workstation is 10.201.201.1, the external interface on my FreeBSD machine is 10.100.100.1 and I ssh to a server at 10.1.1.1, the connection works. On the server I get a connection on port 22 from the FreeBSD router on source port 3. This is confirmed by netstat and tcpdump on the server. On the workstation, tcpdump and netstat confirm a connection from the workstation to the server; destination port is 22, source port is 1. On the FreeBSD router, 'pfctl -s s' confirms: all tcp 10.201.201.1:1 - 10.100.100.1:3 - 10.1.1.1:22 ESTABLISHED:ESTABLISHED Here is where my problem sits. If I do a tcpdump of the pflog, I get an entry from my workstation to the server showing communication from port 1 to port 22. I get an entry from the FreeBSD router to the server, from port 3 to port 22. What I don't get, and what I desperately need, is a way to show that the connection from the FreeBSD router to the server is on behalf of my workstation. Have I missed something in the NAT configuration that logs the actual translations? Can you configure pf to log similar to the output of pfctl where it shows something like: time protocol stuff 10.201.201.1.1 10.100.100.1.3 10.1.1.1.22 TCP stuff Basically, I need to log all of the translations such that if I have five internal machines all ssh to one server around the same time, and the server admin comes back and says, one of your users tried to login as root from port 12345, I can go back and look at the pflog and say, oh, that connection was a NAT translation from workstation. Thanks! kmw ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
PPPoE client+pf+nat
Hello, I am looking to configure my FreeBSD 8.0 machine for the purpose specified in the subject. Let's say I have two NICs in my PC: ext_if (for wan/pppoe connection) and int_if for my LAN. How would you manage to get work NAT with pf using PPPoE from my ISP; I'd like to use DHCP on my LAN. Thank you for you ideas! Laci ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: PPPoE client+pf+nat
On Tue, 27 Oct 2009 06:51:26 -0700 (PDT), Dánielisz László laszlo_daniel...@yahoo.com wrote: Hello, I am looking to configure my FreeBSD 8.0 machine for the purpose specified in the subject. Let's say I have two NICs in my PC: ext_if (for wan/pppoe connection) and int_if for my LAN. How would you manage to get work NAT with pf using PPPoE from my ISP; I'd like to use DHCP on my LAN. It's quite easy, I did this in the past with FreeBSD 5. 1. PPPoE Setup /etc/ppp/ppp.conf with the correct data for your ISP. It woule be like this: pppoe provider name, arbitrary: set device PPPoE:external interface set authname username for PPPoE connection set authkey password set dial set login add default HISADDR In /etc/rc.conf, enter ifconfig_external_interface=up ppp_enable=YES ppp_profile=pppoe provider name as in /etc/ppp/ppp.conf ppp_mode=ddial ppp_nat=YES for the external interface, and for the internal one: ifconfig_internal_interface=inet 192.168.100.1 netmask 0xff00 (or any other subnet definition you like) dhcpd_enable=YES dhcpd_conf=/usr/local/etc/dhcpd.conf dhcpd_ifaces=internal_interface dhcpd_flags=-q Keep in mind that you have to load netgraph_load=YES ng_ether_load=YES ng_pppoe_load=YES ng_socket_load=YES per /boot/loader.conf in order to enable the Netgraph subsystem. I think tho 2. PF - Sorry, I'm not familiar with PF, I always used IPFW. So I had the rule add divert natd ip from any to any via external interface prior to the other rules that formed a setting to be described as: Only allow those (named) ports for connections, disallow anything else. 3. DHCP --- Install the ISC DHCP server from ports and configure the settings for the local network as intended. THis is usually done in /usr/local/etc/dhcpd.conf with a content like this: option domain-name-servers your ISP's name servers; ddns-update-style none; subnet 192.168.100.0 netmask 255.255.255.0 { range 192.168.100.2 192.168.100.250; option routers 192.168.100.1; } You can add host entries for well-known so they always get the same IP according to their MAC, and deny unknown-clients; to force MAC knowledge. Since I ran this setting in v5, kernel configuration required to have options DUMMYNET options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_DEFAULT_TO_ACCEPT options IPDIVERT in the file. I'm sure this is not needed anymore, because there are modules for this. Of course, you can include the options for NETGRAPH here, too. IMPORTANT NOTE: I'm not using such a setting anymore, so I'm not sure if this is still recommended or even working on v8. -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: PPPoE client+pf+nat
On Tue, 27 Oct 2009 06:51:26 -0700 (PDT) Dánielisz László laszlo_daniel...@yahoo.com wrote: Let's say I have two NICs in my PC: ext_if (for wan/pppoe connection) and int_if for my LAN. How would you manage to get work NAT with pf using PPPoE from my ISP As a start your pf.conf could look a bit like this: # ext_if = tun0 int_if = em1 localnet = $int_if:network set block-policy return set skip on lo0 scrub in all nat on $ext_if from $localnet to any - ($ext_if) antispoof for ($ext_if) antispoof for $int_if block in log all pass inet from { lo0, $localnet } to any pass out on $ext_if all # Andreas -- GnuPG key : 0x2A573565|http://www.gnupg.org/howtos/de/ Fingerprint: 925D 2089 0BF9 8DE5 9166 33BB F0FD CD37 2A57 3565 pgpxqmJCP5t4d.pgp Description: PGP signature
Re: PPPoE client+pf+nat
On Tue, 27 Oct 2009 06:51:26 -0700 (PDT) Dánielisz László laszlo_daniel...@yahoo.com wrote: Hello, I am looking to configure my FreeBSD 8.0 machine for the purpose specified in the subject. Let's say I have two NICs in my PC: ext_if (for wan/pppoe connection) and int_if for my LAN. How would you manage to get work NAT with pf using PPPoE from my ISP; I'd like to use DHCP on my LAN. PPPoE is documented in the handbook, I'd suggest you set that up first together with a simple pf firewall to secure the system. There are plenty of howtos for PF+NAT+DHCP. I would suggest you also run a DNS cache so dhcp clients can be given a fixed private IP address instead of the ISP servers. FWIW you may not actually need two NICs, if you have a modem/router with multiple ports you may be able to get away with PPPoE and your lan sharing the same NIC (your wan interface being tun0). ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
pf nat dual gateways
Hi, I would need some help in getting this working. The idea is pretty simple, i have a box with 3 NICs; 2 for net pipes, and one for LAN. Routing and NAT works, however, i need that requests to u_ips always get NATed through u_if, and everything else through ext_if. As it is now, everything goes through ext_if. ext_if=tun0 int_if=vr0 u_if=ed0 ext_services={} int_services={53,80} rdp_port={3232} rdp_srv={192.168.0.250} u_ips={123.123.123.123} u_gw=192.168.1.1 localnet=$int_if:network set skip on lo0 set optimization aggressive set limit states 5 scrub in all nat on $ext_if from $localnet to any - ($ext_if) nat on $u_if from $localnet to $u_ips - ($u_if) rdr pass on $ext_if proto tcp from any to $ext_if port $rdp_port - $rdp_srv port 3389 antispoof for $ext_if antispoof for $u_if block drop all pass in inet proto tcp from any to any port $ext_services \ flags S/SA keep state pass in inet proto {tcp,udp} from $localnet to $int_if port $int_services \ flags S/SA keep state pass out all keep state pass from $localnet to any keep state And here's ifconfig: vr0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST metric 0 mtu 1500 options=2808VLAN_MTU,WOL_UCAST,WOL_MAGIC ether 00:13:d4:a7:84:f9 inet 192.168.0.254 netmask 0xff00 broadcast 192.168.0.255 media: Ethernet autoselect (100baseTX full-duplex) status: active ed0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST metric 0 mtu 1500 ether 52:54:00:df:92:3f inet 192.168.1.5 netmask 0xff00 broadcast 192.168.1.255 media: Ethernet autoselect (10baseT/UTP) rl0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST metric 0 mtu 1500 options=8VLAN_MTU ether 00:02:44:59:91:d5 media: Ethernet autoselect (100baseTX full-duplex) status: active plip0: flags=108810POINTOPOINT,SIMPLEX,MULTICAST,NEEDSGIANT metric 0 mtu 1500 lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST metric 0 mtu 16384 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 inet6 ::1 prefixlen 128 inet 127.0.0.1 netmask 0xff00 tun0: flags=8051UP,POINTOPOINT,RUNNING,MULTICAST metric 0 mtu 1492 inet 111.111.111.111 -- 111.111.111.254 netmask 0x Opened by PID 449 As you can see, u_if(ed0) has IP addr 192.168.1.5, and the gateway is 192.168.1.1 (u_gw). Running 7.2-RELEASE, amd64. Any help is appreciated. Thanks. -- Ghirai. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: PF NAT, how to forward GRE?
Mel [EMAIL PROTECTED] writes: I take it you mean gre(4), which defines two IP protocols. So your rules will need to include proto gre or proto mobile to identify the traffic. Something like: nat on $wan_if proto gre from $int_if:network to any - ($wan_if) and don't forget to include a matching pass rule. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.datadok.no/ http://www.nuug.no/ Remember to set the evil bit on all malicious network traffic delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: PF NAT, how to forward GRE?
On Thursday 27 September 2007 02:47:14 Paul Fraser wrote: I'd like to forward all incoming GRE traffic on the WAN link to a system on the wired network. Could anyone advise how? I take it you mean gre(4), which defines two IP protocols. So your rules will need to include proto gre or proto mobile to identify the traffic. Something like: nat on $wan_if proto gre from $int_if:network to any - ($wan_if) -- Mel ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
PF NAT, how to forward GRE?
Hello list, I've got a box serving as a router between a wired and wireless network, as well as providing NAT services for a WAN link to the two aforementioned systems. I'd like to forward all incoming GRE traffic on the WAN link to a system on the wired network. Could anyone advise how? I thought the PF manual was perhaps a bit vague about forwarding specific protocols (or for that matter, if it's even possible)... Cheers, Paul. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
I need to create PF (NAT) log file.
About Network Address Translation. I need to create PF log file that has external and local IP address mapping. I need log file that has result like pfctl -ss command. How to create it? _ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: I need to create PF (NAT) log file.
chamnan chaladpat wrote: About Network Address Translation. I need to create PF log file that has external and local IP address mapping. I need log file that has result like pfctl -ss command. How to create it? From a bit of googling in the archives, I think the easiest way to do this is using packet tags: nat on $ext_if from !($ext_if) to any tag NAT_TRAFFIC - ($ext_if) pass log on $ext_if tagged NAT_TRAFFIC keep state Note I have only done very cursory testing, but it seems to work. You can follow the logs in the normal way, using tcpdump(1). HTH Dan ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: PF NAt
/etc/pf.conf exter_if = vr0 ^^^ nat on $exter_if from $inter_if to any - $exter_if ^ Now look at man page about nat/rdr rule syntax: nat-rule = [ no ] nat [ pass ] [ on ifspec ] [ af ] [ protospec ] hosts [ tag string ] [ tagged string ] [ - ( redirhost | { redirhost-list } ) [ portspec ] [ pooltype ] [ static-port ] ] Grammar says, that after the - keyword there should be specified _host(s)_. So, if you want to use a macro, pointing to your interface _name_, there's a technique to translate it to it's primary or any aliased IP: ($macro) Your line should look like this: nat on $exter_if from $inter_if to any - ($exter_if) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
PF NAt
hello to all the people, i'm trying for days to get work natting, but nothing happens. FreeBSD 6.2 /etc/rc.conf gateway_enable = YES ifconfig_vr0=inet 192.168.1.2 netmask 255.255.255.0 ifconfig_xl0=inet 192.168.1.3 netmask 0x squid_enable=YES --- /etc/pf.conf exter_if = vr0 inter_if = xl0 nat on $exter_if from $inter_if to any - $exter_if rdr on $inter_if inet proto tcp from any to any port www - 127.0.0.1 port 3128 /usr/local/etc/squid/squid.conf http_port 3128 transparent visible_hostname foo #all the rest is left by default The problem is that another machine can't surf or just ping the external nic vr0. What I'm doing wrong, help me please. Thanks in advance. -- $ miguel_alcántara $ … empiezo acá con la idea de ir allá en un experimento para aumentar, por ejemplo, la velocidad del cable interoceánico del Atlántico; pero cuando he llegado en parte a la meta, me encuentro con un fenómeno que me empuja en otra dirección [...] hacia algo completamente inesperado. Thomas A. Edison. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: PF NAt
On Apr 26, 2007, at 11:35 AM, Miguel Alcántara wrote: /etc/rc.conf gateway_enable = YES ifconfig_vr0=inet 192.168.1.2 netmask 255.255.255.0 ifconfig_xl0=inet 192.168.1.3 netmask 0x squid_enable=YES You're not going to have much luck trying to do NAT if both interfaces are on the same subnet. Other machines will simply broadcast to the other LAN addresses without being re-written by this machine. For NAT to work, the traffic has to flow through this machine as a router (or gateway), which means that they can't be using something like 192.168.1.1 as the router. You'll have to change vr0 to use a publicly routable IP if your want to use it as the external NIC. -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
pf + NAT loopback
I had all of this working with PPPoE + PF, but now i have a T-1 with several IPs all aliased off of the main. pf is working finehowever, I now have lost NAT LOOPBACK. What I need is a way to go from one LAN machine to the WAN and loopback to the other LAN machine. Since this 'just works' with pppoe, how do I do it with pf? simple pf.conf: binat on $bge1 from 192.168.82.170 to any - 67.x.x.1 binat on $bge1 from 192.168.82.171 to any - 67.x.x.2 binat on $bge1 from 192.168.82.172 to any - 67.x.x.3 binat on $bge1 from 192.168.82.173 to any - 67.x.x.4 and so on. I need to use 192.168.82.172 to go and connect to public 67.x.x.2 This results in an immediate connection refused. I see nothing in the pflog and I even tried pass out quick all. So I dont think pf is technically blocking it -but Why do I need this? - I run 2 external DNS servers (with views) and as such NS2 needs to talk to NS1 but using the WAN NAT loopbacks. Help? -- J.D. Bronson Information Services Aurora Health Care - Milwaukee, Wisconsin Office: 414.978.8282 // Fax: 414.977.5299 -Taco Bell is *not* the Mexican Telephone Company- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
FreeBSD 5.4 router with pf nat, bug?
Hi, I have 5.4-RELEASE-p6 test router and I wanted to do all routing/fw with pf, to learn more pf... I have added to kernel options: device pf device pflog device pfsync options ALTQ Setuped jails with 172.22.x.x address and local network I have 192.168.x.x addreses... ifconfig rl0 is real ip and maped jails... rl1 is internal network... /etc/pf.conf now looks like: - ext_if=rl0 int_if=rl1 set state-policy if-bound set loginterface $ext_if scrub reassemble tcp fragment reassemble nat on $ext_if from 172.1.1.1/8 to any - ($ext_if) nat on $ext_if from 192.168.1.1/8 to any - $ext_if rdr on $ext_if proto tcp from any to 159.148.155.14 port 8080 - 172.22.1.2 port www antispoof log quick for $ext_if inet antispoof log quick for $int_if inet block in log quick on $ext_if inet from any to ! ($ext_if) pass quick on lo0 all pass in on $ext_if inet proto tcp from any to ($ext_if) port ssh flags S/SA synproxy state --- The problem is when I make conection from jail or internal network, any conection http, ping, etc first package goes trought and got reply, second no... like: # traceroute www.ass.lv traceroute to www.ass.lv (195.13.160.54), 64 hops max, 40 byte packets 1 my_router (my_router) 0.166 ms 0.143 ms 0.130 ms 2 * next_router (next_router) 1.274 ms * 3 titan-v12-gw.latnet.lv (159.148.13.150) 1.970 ms * 1.992 ms 4 * 80.232.230.89 (80.232.230.89) 2.205 ms * From my_router all working ok: 1 next_router (next_router) 1.331 ms 0.962 ms 1.037 ms 2 titan-v12-gw.latnet.lv (159.148.13.150) 1.287 ms 0.757 ms 1.660 ms 3 80.232.230.89 (80.232.230.89) 1.218 ms 2.233 ms 1.352 ms So only nat`ed packages every second get lost... with tcpdump and pf loging all shows that nothing is blocking them... Any idea what is going on or how to test where is problem? tnx, K. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: just a couple quick pf/nat questions
dave wrote: Hi, I use to use ipf under pre-5.3. NOw i have switched to pf for various reasons. I have not as of yet deployed it on my router, but i will be doing so. In looking it over, i do not believe pf needs nat_enable it does all it's nats within the pf.conf file. HTH Dave. Why are there three ways of filtering and natting ip-packets ? ipfw - This is how my router is working at the moment ipf - I am just reading and testing this, looks nice pf - looks the same as ipf They all have stateful filtering and nat. What should I chose ? ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
just a couple quick pf/nat questions
Ok, I'm slowly coming out of the fog here, but it looks like I might still have a way to go. I finally found the part in the handbook that said I didn't have to compile in the IPFW* and IPDIVERT configs into the kernel *UNLESS* I wanted NAT. Well, I do, but I didn't comple the kernel with IPFIREWALL et. al. Still, I'm planning to migrate to pf, since it's supposed to be better. It seems (from my murky understanding) like it would make tricky NAT stuff easier, so there would be some benefits (battle.net, here I come :). Problem is, it seems like there's a whole new logical approach with pf, and I can't figure out if pf does the NAT itself or if you still need the nat_enable etc. Also, with ipfw, I just ran a script that grabbed the current dynamic IP and used it when the script was run. How does pf handle dynamic IPs? If I'm understanding the pf manual at OpenBSD.org, it will simply take the network interface and apply any IP assigned to a given rule. Am I right? Has anyone else gotten pf running to their satisfaction on 5.3? And are there any pf config generation pages out there yet? I also noticed that all the sample scripts I've looked at seem to specify ports with either an explicit port number or a macro defined right in the config. I take it pf doesn't use the service tags from /etc/services? Thanks all. Lou -- Louis LeBlanc [EMAIL PROTECTED] Fully Funded Hobbyist, KeySlapper Extrordinaire :) http://www.keyslapper.org ԿԬ Van Roy's Truism: Life is a whole series of circumstances beyond your control. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: just a couple quick pf/nat questions
Hi, I use to use ipf under pre-5.3. NOw i have switched to pf for various reasons. I have not as of yet deployed it on my router, but i will be doing so. In looking it over, i do not believe pf needs nat_enable it does all it's nats within the pf.conf file. HTH Dave. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: just a couple quick pf/nat questions
On Monday 13 December 2004 02:35 pm, Louis LeBlanc wrote: Still, I'm planning to migrate to pf, since it's supposed to be better. It seems (from my murky understanding) like it would make tricky NAT stuff easier, so there would be some benefits (battle.net, here I come :). Problem is, it seems like there's a whole new logical approach with pf, and I can't figure out if pf does the NAT itself or if you still need the nat_enable etc. No - the NAT config is incl in pf.conf Also, with ipfw, I just ran a script that grabbed the current dynamic IP and used it when the script was run. How does pf handle dynamic IPs? If I'm understanding the pf manual at OpenBSD.org, it will simply take the network interface and apply any IP assigned to a given rule. Am I right? You are correct. Has anyone else gotten pf running to their satisfaction on 5.3? Haven't tried that yet, but I will soon. I've been using it for quite a while on OpenBSD boxes it is pretty much wonderful (except it won't pass a Cisco VPN connection through the firewall) And are there any pf config generation pages out there yet? You may want to read the pf User's Guide at: http://www.openbsd.org/faq/pf/index.html It's got loads of info, and isn't a difficult read. Also, there is a sample config file for a SOHO included. If you Google for pf.conf, you'll turn up butt-loads of others. I also noticed that all the sample scripts I've looked at seem to specify ports with either an explicit port number or a macro defined right in the config. I take it pf doesn't use the service tags from /etc/services? Correct-isimo - you're catching on :) Jay ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: just a couple quick pf/nat questions
And are there any pf config generation pages out there yet? Look at this: http://www.onlamp.com/pub/a/bsd/2003/06/26/ssn_openbsd.html?page=1 Regards, Mauricio ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]