[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re:Strange behaviour with PF on FreeBSD 5.3-STABLE

Hi Max,
> You are supposed to have a NAT rule somewhere. Please let us know the complete
> ruleset (including translation rules) and include match counters so that
> people can figure if a certain rule is matched at all (pfctl -vv -sn -sr).
This was my complete ruleset, as I switched from my default ruleset in order
to debug the problem.
set loginterface $tun_if
#nat on $tun_if from $internal_net to any -> ($tun_if)
#default block
block return log-all
pass on $tun_if
pass on $ext_if
pass on $int_if
pfctl -vv -sn -sr
@0 block return log-all all
  [ Evaluations: 2171      Packets: 1130      Bytes: 69021       States: 0
@1 pass on tun0 all
  [ Evaluations: 2171      Packets: 0         Bytes: 0           States: 0
@2 pass on ed0 all
  [ Evaluations: 2171      Packets: 0         Bytes: 0           States: 0
@3 pass on vr0 all
  [ Evaluations: 2171      Packets: 1041      Bytes: 65738       States: 0
> Make sure that the NAT rule has dynamic address tracking (as I think you get a
> dynamic IP from you ISP). The rule should look something like:
>  nat on tun0 from $internalnet to any -> (tun0)
I use the NAT from ppp, but I think that this is not related, as the problem
occur at (or better: also at) the firewall (i386 FreeBSD 5.3-STABLE of
yesterday). The firewall itself (and everything behind it) cannot connect
over ppp to external servers when the default block rule is activated.
When I deactivate the rule, everything runs smoothly.
> Also note, that we have a pf related mailinglist on FreeBSD, called
> [email protected] You might want to subscribe and take the discussion
> there: http://lists.freebsd.org/mailman/listinfo/freebsd-pf
Thanks, I will suscribe. Should we change with this discussion the
freebsd-centrinc mailinglist?
Jonathan Weiss