pf + NAT + ICMP issues?
Adam McDougall
mcdouga9 at egr.msu.edu
Fri Feb 7 14:24:13 UTC 2014
On 02/07/2014 08:16, Daniel Engberg wrote:
> Hi,
>
> I've been tearing my hair on this one, this ruleset worked fine on 9.1
> and 9-STABLE around the same time but doesn't on HEAD (most recent box I
> have is running r261486 (AMD64). I might be missing something obvious so
> I guess I need a another pair of eyes. Anyhow, the issue is pretty
> simple, for some reason on clients behind ping and tracert doesn't work
> as they did before.
>
> Using ping (Windows 7) the first packet always gets a timeout and
> tracert doesn't work except at the end hop.
>
(snip)
>
> # Allow ICMP
> pass in quick on $ext_if inet proto icmp all icmp-type $icmp_types
Can you try duplicating or replacing this rule with "pass out"?
I use both pass in and out, I suppose I could just use "pass" with one
rule. FYI, I only have icmp_types = "{ echoreq unreach }".
>
> # Allow FTPs to connect to our FTP-proxy
> pass in quick on $ext_if inet proto tcp to ($ext_if) port ftp-data user
> proxy
>
More information about the freebsd-pf
mailing list