Is PF nat broken?
Pyun YongHyeon
yongari at kt-is.co.kr
Thu Oct 21 22:59:09 PDT 2004
On Thu, Oct 21, 2004 at 10:53:39PM +0200, Matteo Riondato wrote:
> Thu, 2004-10-21 18:38 CEST, Max Laier wrote:
> > Matteo Riondato wrote:
> > > Please note that I'm using pf.ko, not in-kernel support.
> > > There isn't a "nat enable yes" line in /etc/ppp/ppp.conf
> > > Any help will be appreciated.
> >
> > Well, could you try to tell us what exactly the problem is? I don't see any
> > mentioning of the actual problem.
>
> Ouch, sorry, I forgot to mention it.. :)
> Well, the fact is that nat does not work. I mean: packets arrive from
> the lan to the internal interface (wifi_if = "rl0") and it seems that
> they are forward to remote hosts, but when they come back, they are not
> forward back to lan hosts.
>
> Here you found the output of "pfctl -vrs":
> http://www.riondabsd.net/pfctl-vsr.output
>
You many need "pfctl -vvsn" to check NAT and "pfctl -vss"
to check created states.
> The output of "tcpdump -i rl0 port 110"
> http://www.riondabsd.net/tcpdump.rl0
>
> The output of "tcpdump -i tun0 port 110"
> http://www.riondabsd.net/tcpdump.tun0
>
> (the two tcpdump were taken at the same time)
>
I guess additional "-nvvv" options is preferable since it
conveies more information than that of plain tcpdump command.
> Here my /etc/pf.conf
> http://www.riondabsd.net/pf.conf
>
Remove block rule or add log keyword and check whether your
NAT rule really works.
> Hope this helps.
> Thank you in advance for any hint.
PS: Your mail server rejects my mail.
--
Regards,
Pyun YongHyeon
http://www.kr.freebsd.org/~yongari | yongari at freebsd.org
More information about the freebsd-pf
mailing list