I am having trouble doing NAT between 2 interfaces with PF.
Here is my setup:
--------fxp0-----[computer]--(rum0)
fxp0 is the `main' internet connection coming in from an ethernet cable
rum0 is a USB Wireless Access Point.
I want to be able to connect to rum0 and access the internet through fxp0.
Here is a simple way of doing that:
Code:
$ cat /etc/pf.conf
pass out on fxp0 from rum0:network to any nat-to (fxp0)
(I have rum0 setup with DHCPd and /etc/hostname.rum0 etc.)
So with that pf.conf I can connect to rum0 and access the internet.
However, I would like to setup PF to do this through a default deny stance.
Here is what I have tried:
Code:
# default deny policy
block all
# allow all traffic coming in(to this computer(fxp0)) from rum0
pass in on rum0
pass out on fxp0
# DNS
pass quick proto {tcp, udp} from any to any port 53 keep state
# SSH on 192.168.0/24, in case I am locked out
pass proto tcp from fxp0:network to port ssh
# NAT
pass out on fxp0 from rum0:network to any nat-to (fxp0)
With this pf.conf however I am unable to even ping 172.16.0.1(rum0) when I connect to it from another computer. I obviously also do not have access to the internet ether.
Reverting back to the simple 1 line:
Code:
pass out on fxp0 from rum0:network to any nat-to (fxp0)
fixes everything though.
Thank you for any help.