DaemonForums  

Go Back   DaemonForums > FreeBSD > FreeBSD Installation and Upgrading

FreeBSD Installation and Upgrading Installing and upgrading FreeBSD.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 25th June 2008
TiN-MAN TiN-MAN is offline
Bsd n00b
 
Join Date: Jun 2008
Posts: 3
Thanked 0 Times in 0 Posts
Question Newbie NAT problem

I was wondering if anyone can help me. I have been trying to configure an internet gateway with freebsd. I'm a unix newbie.

The system is up and running. Problem is i want to use PF and NAT to control my internet trough a gateway. But I cannot get it to work. And I have compiled PF support into my current kernel.

sis0 is my external network getting dynamic ip from isp.
rl0 is my internal network running dhcp.

Code:
ADSL Router
(10.0.0.1)
 |
 |
(10.0.0.2)
Freebsd server
(100.0.0.1)
 |
 -----------------
 |               |
(100.0.0.30)    (100.0.0.31)
PC1             PC2
I want to be able to access telnet (SSH) from both sides of the server (both 10.0.0.2 and 100.0.0.1).

I want LAN computers to be able to access the internet but also services on the server (eg. samba shares).

ifconfig output:
Code:
sis0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=8<VLAN_MTU>
        ether 00:1c:c0:49:c2:06
        inet 10.0.0.5 netmask 0xffffff00 broadcast 10.0.0.255
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=8<VLAN_MTU>
        ether 00:11:6b:94:cc:f8
        inet 100.0.0.1 netmask 0xffffff00 broadcast 100.0.0.255
        media: Ethernet autoselect (100baseTX <full-duplex>))
        status: active
plip0: flags=108810<POINTOPOINT,SIMPLEX,MULTICAST,NEEDSGIANT> metric 0 mtu 1500
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
        inet6 ::1 prefixlen 128
        inet 127.0.0.1 netmask 0xff000000
pflog0: flags=141<UP,RUNNING,PROMISC> metric 0 mtu 33204
pfsync0: flags=0<> metric 0 mtu 1460
        syncpeer: 224.0.0.240 maxupd: 128
My my pathetic attempt at creating a working pf.conf

Code:
if_ext = "sis0"                # macro for interface facing int
if_int = "rl0"                 # macro for interface facing loc
localnet = $if_int:network
icmp_types = "{ echoreq, unreach }"
nonroute = "{ 127.0.0.1/8, 192.168.0.0/16, 172.16.0.0/12, \
                     10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \
                     0.0.0.0/8, 240.0.0.0/4 }"

set block-policy return
scrub in all
nat on $if_ext from $localnet to any -> ($if_ext)
antispoof for $if_ext
antispoof for $if_int
block all

pass inet proto tcp from {lo0, $localnet } to any keep state
pass inet proto icmp all icmp-type $icmp_types keep state
pass in on $if_ext proto { tcp, udp } from any to any port 3709 #telnet

block drop in quick on $if_ext from $nonroute to any
block drop out quick on $if_ext from any to $nonroute
any ideas where i fail? and how to fix it?

Last edited by TiN-MAN; 25th June 2008 at 07:33 PM.
Reply With Quote
  #2   (View Single Post)  
Old 25th June 2008
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,116
Thanked 182 Times in 149 Posts
Default

The external NIC of your server has IP address 10.0.0.2, which is in your $nonroute macro, and thus get blocked. To check if this true add the following "log" modifiers.
Code:
block log all
....
block  drop in  log quick on $if_ext from $nonroute to any
block  drop out log quick on $if_ext from any to $nonroute
As root run
Code:
tcpdump -eni pflog0
and you will see all blocked packets of your ruleset.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #3   (View Single Post)  
Old 26th June 2008
TiN-MAN TiN-MAN is offline
Bsd n00b
 
Join Date: Jun 2008
Posts: 3
Thanked 0 Times in 0 Posts
Default

Doh! offcource. Thank you, I will test it as soon as possible.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
PF Configuration for newbie slakic OpenBSD Security 1 20th August 2009 02:35 PM
Newbie kernel question sbonar Programming 11 17th August 2009 11:40 PM
What makes a perfect newbie? jggimi Feedback and Suggestions 32 19th October 2008 02:58 AM
Newbie requesting too much time/effort! MrDetermination FreeBSD General 6 7th August 2008 12:54 PM
Newbie - adventure in gateway world Johnny2Bad FreeBSD General 1 17th May 2008 10:22 AM


All times are GMT. The time now is 11:48 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick