Hey all I am having trouble with freebsd/pf and theattached config
my main issue is with the second nat; 'nat on $int_if from any to
($josh_if) -> $josh_xbox'
it seems to work for TCP inbound but not for UDP or ICMP I cannot see the
reason why; perhaps a binat rule would be better but I could never get it
quite working (in either direction)
# Macros
ext_if=igb0
int_if=igb1
localnet = "{ 172.31.33.2/32, ... lots of ips }"
josh_xbox="172.31.33.254"
josh_if="gre0"
josh_gateway="10.0.0.2"
josh_vpnhost="185.157.232.30"
tcp_services = "{ ssh, smtp, domain, www, pop3, auth, pop3s, 5901 }"
udp_services = "{ domain }"
# Global rules
set skip on lo0
scrub in all
# NAT and redirection
nat on $ext_if from $localnet to any -> ($ext_if)
# xBox redirection
nat on $josh_if from $josh_xbox to any -> ($josh_if)
nat on $int_if from any to ($josh_if) -> $josh_xbox
rdr-anchor "miniupnpd"
# Tables and sets
table <bruteforce> persist
table <blocked> persist
# Filtering rules (Quick first)
# Release GRE and QUICK release the protocol
pass in quick on $ext_if inet proto 47 from $josh_vpnhost to any no state
flags any
pass out quick on $ext_if inet proto 47 from any to $josh_vpnhost no state
flags any
# SSH, DNS, DHCP
block quick on $ext_if proto udp from any to any port 67
pass in quick on $int_if proto tcp from 172.31.33.1/24 to 172.31.33.1/32
port 22
pass in quick on $int_if proto {tcp,udp} from 172.31.33.1/24 to
172.31.33.1/32 port 53
pass in quick on $int_if proto udp from any to 172.31.33.1/32 port 63
# Pass out/in the xbox traffic (THIS MUST GO AFTER THE DNS RULES)
pass in quick on $int_if from $josh_xbox rtable 1 # Swap packets from
the xbox to fib1 routing table
pass in quick on $josh_if rtable 0
_______________________________________________
freebsd-pf@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
