Re: bidirectional NAT in PF?

2008-09-08 Thread mouss
David DeSimone wrote: I think I am using the wrong terminology. I should probably call it "double NAT" to differentiate it. "binat" works fine but it still only changes ONE of the IP's being translated (the source IP). In PF, you can use "nat" to translate the source IP, and "redir" to change

FreeBSD 7.1-PRERELEASE Trouble

2008-09-08 Thread Dmitry Rybin
PF doesn't block some IP === pf.conf === ext_if="bge0" table { 78.107.71.38 89.179.195.34 } block quick from pass out pass in === pf.conf === # pfctl -e -f /etc/pf.conf # tcpdump -netxi bge0 host 89.179.195.34 00:1a:a1:69:35:43 > 00:1c:c4:81:2f:9e, ethertype IPv4 (0x0800), length 69: 89.

Re: FreeBSD 7.1-PRERELEASE Trouble

2008-09-08 Thread Jeremy Chadwick
On Mon, Sep 08, 2008 at 07:13:35PM +0400, Dmitry Rybin wrote: > PF doesn't block some IP > > === pf.conf === > > ext_if="bge0" > table { 78.107.71.38 89.179.195.34 } > > block quick from > pass out > pass in > === pf.conf === > > # pfctl -e -f /etc/pf.conf > > # tcpdump -netxi bge0 host

Re: FreeBSD 7.1-PRERELEASE Trouble

2008-09-08 Thread Jeremy Chadwick
On Mon, Sep 08, 2008 at 08:51:39AM -0700, Jeremy Chadwick wrote: > On Mon, Sep 08, 2008 at 07:13:35PM +0400, Dmitry Rybin wrote: > > PF doesn't block some IP > > > > === pf.conf === > > > > ext_if="bge0" > > table { 78.107.71.38 89.179.195.34 } > > > > block quick from > > pass out > > pas

Re: FreeBSD 7.1-PRERELEASE Trouble

2008-09-08 Thread Jille
Hello, Dmitry Rybin wrote: > PF doesn't block some IP > > === pf.conf === > > ext_if="bge0" > table { 78.107.71.38 89.179.195.34 } Afaik you need to separate them with a comma (,) -- Jille > > block quick from > pass out > pass in > === pf.conf === > > # pfctl -e -f /etc/pf.conf > > #

Re: FreeBSD 7.1-PRERELEASE Trouble

2008-09-08 Thread Jeremy Chadwick
On Mon, Sep 08, 2008 at 05:45:44PM +0200, Jille wrote: > Dmitry Rybin wrote: > > PF doesn't block some IP > > > > === pf.conf === > > > > ext_if="bge0" > > table { 78.107.71.38 89.179.195.34 } > > Afaik you need to separate them with a comma (,) This is incorrect. You can use a comma or a

Re: FreeBSD 7.1-PRERELEASE Trouble

2008-09-08 Thread David DeSimone
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dmitry Rybin <[EMAIL PROTECTED]> wrote: > > PF doesn't block some IP > > === pf.conf === > > ext_if="bge0" > table { 78.107.71.38 89.179.195.34 } > > block quick from > pass out > pass in > === pf.conf === > > # pfctl -e -f /etc/pf.conf > >

Re: FreeBSD 7.1-PRERELEASE Trouble

2008-09-08 Thread Jeremy Chadwick
On Mon, Sep 08, 2008 at 01:04:07PM -0500, David DeSimone wrote: > Dmitry Rybin <[EMAIL PROTECTED]> wrote: > > > > PF doesn't block some IP > > > > === pf.conf === > > > > ext_if="bge0" > > table { 78.107.71.38 89.179.195.34 } > > > > block quick from > > pass out > > pass in > > === pf.con

Re: FreeBSD 7.1-PRERELEASE Trouble

2008-09-08 Thread Jeremy Chadwick
On Tue, Sep 09, 2008 at 09:20:20AM +0400, Dmitry Rybin wrote: > === pf.conf === > ext_if="bge0" > > block in quick from > pass out > pass in > === pf.conf === > # pfctl -f > # pfctl -t dnsflood -Tadd 78.107.71.38 > # pfctl -t dnsflood -Tadd 89.179.195.34 > # pfctl -t dnsflood -Tshow > 78.107.71.3