|
FreeBSD Installation and Upgrading Installing and upgrading FreeBSD. |
|
Thread Tools | Display Modes |
|
|||
Newbie NAT problem
I was wondering if anyone can help me. I have been trying to configure an internet gateway with freebsd. I'm a unix newbie.
The system is up and running. Problem is i want to use PF and NAT to control my internet trough a gateway. But I cannot get it to work. And I have compiled PF support into my current kernel. sis0 is my external network getting dynamic ip from isp. rl0 is my internal network running dhcp. Code:
ADSL Router (10.0.0.1) | | (10.0.0.2) Freebsd server (100.0.0.1) | ----------------- | | (100.0.0.30) (100.0.0.31) PC1 PC2 I want LAN computers to be able to access the internet but also services on the server (eg. samba shares). ifconfig output: Code:
sis0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=8<VLAN_MTU> ether 00:1c:c0:49:c2:06 inet 10.0.0.5 netmask 0xffffff00 broadcast 10.0.0.255 media: Ethernet autoselect (100baseTX <full-duplex>) status: active rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=8<VLAN_MTU> ether 00:11:6b:94:cc:f8 inet 100.0.0.1 netmask 0xffffff00 broadcast 100.0.0.255 media: Ethernet autoselect (100baseTX <full-duplex>)) status: active plip0: flags=108810<POINTOPOINT,SIMPLEX,MULTICAST,NEEDSGIANT> metric 0 mtu 1500 lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 inet6 ::1 prefixlen 128 inet 127.0.0.1 netmask 0xff000000 pflog0: flags=141<UP,RUNNING,PROMISC> metric 0 mtu 33204 pfsync0: flags=0<> metric 0 mtu 1460 syncpeer: 224.0.0.240 maxupd: 128 Code:
if_ext = "sis0" # macro for interface facing int if_int = "rl0" # macro for interface facing loc localnet = $if_int:network icmp_types = "{ echoreq, unreach }" nonroute = "{ 127.0.0.1/8, 192.168.0.0/16, 172.16.0.0/12, \ 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \ 0.0.0.0/8, 240.0.0.0/4 }" set block-policy return scrub in all nat on $if_ext from $localnet to any -> ($if_ext) antispoof for $if_ext antispoof for $if_int block all pass inet proto tcp from {lo0, $localnet } to any keep state pass inet proto icmp all icmp-type $icmp_types keep state pass in on $if_ext proto { tcp, udp } from any to any port 3709 #telnet block drop in quick on $if_ext from $nonroute to any block drop out quick on $if_ext from any to $nonroute Last edited by TiN-MAN; 25th June 2008 at 07:33 PM. |
|
|||
The external NIC of your server has IP address 10.0.0.2, which is in your $nonroute macro, and thus get blocked. To check if this true add the following "log" modifiers.
Code:
block log all .... block drop in log quick on $if_ext from $nonroute to any block drop out log quick on $if_ext from any to $nonroute Code:
tcpdump -eni pflog0
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
Doh! offcource. Thank you, I will test it as soon as possible.
|
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
PF Configuration for newbie | slakic | OpenBSD Security | 1 | 20th August 2009 02:35 PM |
Newbie kernel question | sbonar | Programming | 11 | 17th August 2009 11:40 PM |
What makes a perfect newbie? | jggimi | Feedback and Suggestions | 32 | 19th October 2008 02:58 AM |
Newbie requesting too much time/effort! | MrDetermination | FreeBSD General | 6 | 7th August 2008 12:54 PM |
Newbie - adventure in gateway world | Johnny2Bad | FreeBSD General | 1 | 17th May 2008 10:22 AM |