pf: nat works, ip blocking and logging do not

Sat, 13 Feb 2010 10:27:24 -0800 

I setup pf with nat on my Freebsd 7 system:

[gouda:root]/root# pfctl -sa -vvvv
No ALTQ support in kernel
ALTQ related functions disabled
TRANSLATION RULES:
@0 nat on em0 inet from 192.168.4.0/24 to any -> (em0) round-robin
  [ Evaluations: 29986     Packets: 67086     Bytes: 54746182    States:
21    ]
  [ Inserted: uid 0 pid 66358 ]

FILTER RULES:
@0 scrub in all fragment reassemble
  [ Evaluations: 1030123   Packets: 539441    Bytes: 76737270    States:
0     ]
  [ Inserted: uid 0 pid 66358 ]
@0 block drop in log (all) quick on em0 inet from 11.11.11.111 to any
  [ Evaluations: 75127     Packets: 0         Bytes: 0           States:
0     ]
  [ Inserted: uid 0 pid 66358 ]
@1 block drop in log (all) quick on em0 inet from 22.22.22.222 to any
  [ Evaluations: 32476     Packets: 0         Bytes: 0           States:
0     ]
  [ Inserted: uid 0 pid 66358 ]
@2 block drop out log (all) quick on em0 inet from 11.11.11.111 to any
  [ Evaluations: 56044     Packets: 0         Bytes: 0           States:
0     ]
  [ Inserted: uid 0 pid 66358 ]
@3 block drop out log (all) quick on em0 inet from 22.22.22.222 to any
  [ Evaluations: 23568     Packets: 0         Bytes: 0           States:
0     ]
  [ Inserted: uid 0 pid 66358 ]
@4 pass in all flags S/SA keep state
  [ Evaluations: 75130     Packets: 311544    Bytes: 126402695   States:
62    ]
  [ Inserted: uid 0 pid 66358 ]
@5 pass out all flags S/SA keep state
  [ Evaluations: 75130     Packets: 239954    Bytes: 97798568    States:
55    ]
  [ Inserted: uid 0 pid 66358 ]

nat works great.

Unfortunately, I can still go to 11.11.11.111 or 22.22.22.222 with no
blocking and no logging on /var/log/pflog.

When I tcpdump listen to pflog0 there are no entries when I go to those ips.
What am I doing wrong here that is preventing logging and blocking from
working?

[gouda:root]/root# tcpdump -vvveni pflog0
tcpdump: WARNING: pflog0: no IPv4 address assigned
tcpdump: listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture
size 96 bytes

[gouda:root]/root# cat /etc/pf.conf
ext_if="em0"
int_if="sk0"
set skip on lo0
scrub in
nat on $ext_if from $int_if:network to any -> ($ext_if)
block drop in log (all) quick on $ext_if from { 11.11.11.111, 22.22.22.222 }
to any
block drop out log (all) quick on $ext_if from { 11.11.11.111, 22.22.22.222
} to any
pass in all
pass out all

Thank you for your thoughts.
_______________________________________________
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"

Reply via email to