PF, Interface-groups and nat

Wed, 06 Jul 2005 13:51:47 -0700 

Hi
I'm trying to set up a small home-network with both wired and wireless
access, so I've put the following NICs in a box:
ath0: internal wireless 192.168.1.1
rl0: internal wired 192.168.0.1
rl1: external wired DHCP
I've used the following pf.conf (a slight adaption from the example in
the pf-FAQ):
------------------------------------------------
# macros
tcp_services = "{ 22, 113 }"
icmp_types = "echoreq"

# options
set block-policy return
set loginterface rl1

# scrub
scrub in all

# nat/rdr
nat on rl1 from ath0:network to any -> (rl1)
nat on rl1 from rl0:network to any -> (rl1)

# filter rules
block all

pass quick on lo0 all

pass in on rl1 inet proto tcp from any to (rl1) \
       port $tcp_services flags S/SA keep state

pass in inet proto icmp all icmp-type $icmp_types keep state

pass in on ath0 from ath0:network to any keep state
pass out on ath0 from any to ath0:network keep state
pass in on rl0 from rl0:network to any keep state
pass out on rl0 from any to rl0:network keep state

pass out on rl1 proto tcp all modulate state flags S/SA
pass out on rl1 proto { udp, icmp } all keep state
------------------------------------------------

Then I tried to use interface-groups (cool feature, and it seems like
it might reduce the pf.conf-file and make it easier to maintain) and put rl1 in group "if_ext" and the other two NICs in "if_int" and tried 
to adapt pf.conf accordingly and got this:
------------------------------------------------
# macros
tcp_services = "{ 22, 113 }"
icmp_types = "echoreq"

# options
set block-policy return
set loginterface if_ext

# scrub
scrub in all

# nat/rdr
nat on if_ext from (if_int:network) to any -> (if_ext)

# filter rules
block all

pass quick on lo0 all

pass in on if_ext inet proto tcp from any to (if_ext) \
       port $tcp_services flags S/SA keep state

pass in inet proto icmp all icmp-type $icmp_types keep state

pass in on if_int from (if_int:network) to any keep state
pass out on if_int from any to (if_int:network) keep state

pass out on if_ext proto tcp all modulate state flags S/SA
pass out on if_ext proto { udp, icmp } all keep state
------------------------------------------------

All seems fine, running pfctl -n on it produces nothing, but when
trying to load the rules I get DIOSETSTATUSIF, and no rules are
loaded. What am I doing wrong?

--
Erik Wikstrvm

Reply via email to