View Single Post
  #7   (View Single Post)  
Old 2nd December 2008
ivanatora ivanatora is offline
Real Name: Ivan
Fdisk Soldier
 
Join Date: Jul 2008
Location: Bulgaria
Posts: 51
Default

J65nko, thanks for your suggestion, but I already have said that I'm using tcpdump and I see there is traffic going trough.

s2scott, this is an interesting way to do NAT in PF. It is not shown into the tutorials, but it works I don't understand what is the SMT3 rule for? It doesn't get matched at all.
And I don't think I can do more evaluations on these packets, because of the 'quick' keyword. AFAIK, when a packet is matched in that rule it doesn't check the next rules at all.

Question: I've accidently added a rule for queuing, and it was working - the download traffic got shaped (did not expect that). Why is it working in the "from <network> to <data>" rule? Isn't that the upload matching traffic rule? To remind - <data> addresses are public servers from Internet.

This is all of my pf.conf:
Code:
### Macros
int_if = "re0"
ext_if = "rl0"
ext_ip = "192.168.1.2"

### Tables
table <network>  { 192.168.0.34, 192.168.0.223 }
table <data> persist file "/root/ip-store.data"

### Normalizations
scrub in all

### Queueing
altq on $int_if hfsc bandwidth 10Mb queue {general, data}
queue general bandwidth 4Mb hfsc (realtime 4Mb upperlimit 4Mb default)   
queue data bandwidth 1Mb hfsc (realtime 128Kb upperlimit 256Kb)

### Translation
nat pass on $ext_if from <network> to any -> $ext_ip

### Filtering
pass in log (all to pflog1) on $int_if proto tcp from <network> to <data> label "??? in" queue data
pass out log (all to pflog0) on $ext_if proto tcp from <data> to <network> label "??? out"
pflog0 still logs nothing, but you have said it is due to 192.168/16 private class network, which is not seen from the Internet. (Btw, I thought PF have states for these connections and it would recognize traffic for the hosts behind NAT)
Reply With Quote