Re: problems setting up a firewall with nat
Hardware problem, thanks. 2009/5/10 Jean-Frangois SIMON > All, > It was a hardware problem. > > Thanks for help > > 2009/5/10 Jean-Frangois SIMON > > I do and have booted since. >> Reagrds. >> >> 2009/5/10 Tony Abernethy >> >>> Dorian B|ttner wrote: >>> >>> > Jean-Frangois SIMON schrieb: >>> > > Hello James, >>> > > If no output to parse means no errors, and verbose mode >>> > just repeat all the >>> > > lines of the pf.conf, then yes it parses. >>> > > >>> > > pflog0 keeps silent, nothing in here while trying to >>> > connect from the subnet >>> > > to the internet. >>> > > >>> > > 2009/5/10 James Records >>> > > >>> > > >>> > >> Does your pf.conf parse? Try pfctl -nf /etc/pf.conf if >>> > it's not parsing it >>> > >> will not load and behave as you describe also tcpdump on the pflog >>> > >> >>> > > interface >>> > > >>> > >> as well to give yourself another data point >>> > >> >>> > >> J >>> > >> >>> > >> Sent from my iPhone >>> > >> >>> > >> On May 9, 2009, at 3:05 PM, Jean-Frangois SIMON >>> > >>> > >> wrote: >>> > >> >>> > >> Sorry for forgotting the rest, here you are : >>> > >> >>> > >>> ext_if is actlually working, configures to an adsl box >>> > using DHCP and >>> > >>> actually lynx displays pages. >>> > >>> >>> > >>> int_if is the local network that I want to go through >>> > openbsd box to >>> > >>> access >>> > >>> to internet so I can filter with pf. >>> > >>> >>> > >>> The configuration is a standard nat rule + packet >>> > forwarding between the >>> > >>> two >>> > >>> interfaces so called em0 and em1 resp ext_if and int_if. >>> > >>> >>> > >>> As indicated before, I have pf enables, inet forward >>> > lines uncommented in >>> > >>> sysctl.con >>> > >>> >>> > >>> Packets are received on int_if but not forwarded to ext_if. >>> > >>> >>> > >>> Did I miss something ? Here below pf.conf >>> > >>> >>> > >>> 2009/5/9 Robert >>> > >>> >>> > >>> On Sat, 9 May 2009 22:52:32 +0200 >>> > >>> >>> > Jean-Frangois SIMON wrote: >>> > # cat /etc/pf.conf >>> > # $OpenBSD: pf.conf,v 1.38 2009/02/23 01:18:36 >>> > deraadt Exp $ >>> > # >>> > # See pf.conf(5) for syntax and examples; this sample >>> > ruleset uses >>> > # require-order to permit mixing of NAT/RDR and filter rules. >>> > # Remember to set net.inet.ip.forwarding=1 and/or >>> > net.inet6.ip6.forwarding=1 >>> > # in /etc/sysctl.conf if packets are to be forwarded >>> > between interfaces. >>> > >>> > ext_if="em0" >>> > int_if="em1" >>> > >>> > set loginterface $ext_if >>> > set require-order no >>> > set skip on lo >>> > scrub in all >>> > >>> > # NAT/filter rules and anchors for ftp-proxy(8) >>> > #nat-anchor "ftp-proxy/*" >>> > #rdr-anchor "ftp-proxy/*" >>> > nat on $ext_if from ($int_if:network) -> ($ext_if) >>> > #rdr pass on ! egress proto tcp to port ftp -> 127.0.0.1 >>> > port 8021 >>> > #anchor "ftp-proxy/*" >>> > #pass out proto tcp from $proxy to any port ftp >>> > >>> > # NAT/filter rules and anchors for relayd(8) >>> > #rdr-anchor "relayd/*" >>> > #anchor "relayd/*" >>> > >>> > # NAT rules and anchors for spamd(8) >>> > #table persist >>> > #table persist file "/etc/mail/nospamd" >>> > #no rdr on egress proto tcp from to any port smtp >>> > #no rdr on egress proto tcp from to any port smtp >>> > #rdr pass on egress proto tcp from any to any port smtp >>> > -> 127.0.0.1 port >>> > spamd >>> > >>> > #block in >>> > pass in >>> > pass out >>> > >>> > #pass in on $int_if proto tcp to any port 80 >>> > >>> > #block in quick from urpf-failed to any # use with care >>> > >>> > # By default, do not permit remote connections to X11 >>> > block in on ! lo0 proto tcp from any to any port 6000 >>> > >>> > antispoof for ext_if >>> > >>> > Hello, >>> > >>> > > Please can you help me with this : >>> > > >>> > > I just installed the 4.5 OpenBSD, set up the inet forwarding for >>> > > unicast and multicase, include the standard NAT rule in >>> > pf.conf such >>> > > as : nat on $ext_if from ($int_if:network) -> ($ext_if) >>> > > enable pf >>> > > check with pfctl -s nat that the correct rule is set. >>> > > >>> > > That does not work, with tcpdump i see that packets are not >>> > > forwarded, i see them on int_if but not on ext_if. >>> > > >>> > > Can you give me some help to find out where the problem is ? >>> > > >>> > > Thanks. >>> > > >>> > > >>> > Because you dont have a pass rule they get blocked? >>> > Guessing only goes so far. >>> > >>> > Tell us what you want to do. >>> > Tell us what you tried to get it working. >>> > Tell us what is in your relevant configs. >>> > >>> > Perhaps then someone can tell you what to do. >>> > >>> > - Robert >>> >
Re: problems setting up a firewall with nat
I do and have booted since. Reagrds. 2009/5/10 Tony Abernethy > Dorian B|ttner wrote: > > Jean-Frangois SIMON schrieb: > > > Hello James, > > > If no output to parse means no errors, and verbose mode > > just repeat all the > > > lines of the pf.conf, then yes it parses. > > > > > > pflog0 keeps silent, nothing in here while trying to > > connect from the subnet > > > to the internet. > > > > > > 2009/5/10 James Records > > > > > > > > >> Does your pf.conf parse? Try pfctl -nf /etc/pf.conf if > > it's not parsing it > > >> will not load and behave as you describe also tcpdump on the pflog > > >> > > > interface > > > > > >> as well to give yourself another data point > > >> > > >> J > > >> > > >> Sent from my iPhone > > >> > > >> On May 9, 2009, at 3:05 PM, Jean-Frangois SIMON > > > > >> wrote: > > >> > > >> Sorry for forgotting the rest, here you are : > > >> > > >>> ext_if is actlually working, configures to an adsl box > > using DHCP and > > >>> actually lynx displays pages. > > >>> > > >>> int_if is the local network that I want to go through > > openbsd box to > > >>> access > > >>> to internet so I can filter with pf. > > >>> > > >>> The configuration is a standard nat rule + packet > > forwarding between the > > >>> two > > >>> interfaces so called em0 and em1 resp ext_if and int_if. > > >>> > > >>> As indicated before, I have pf enables, inet forward > > lines uncommented in > > >>> sysctl.con > > >>> > > >>> Packets are received on int_if but not forwarded to ext_if. > > >>> > > >>> Did I miss something ? Here below pf.conf > > >>> > > >>> 2009/5/9 Robert > > >>> > > >>> On Sat, 9 May 2009 22:52:32 +0200 > > >>> > > Jean-Frangois SIMON wrote: > > # cat /etc/pf.conf > > # $OpenBSD: pf.conf,v 1.38 2009/02/23 01:18:36 > > deraadt Exp $ > > # > > # See pf.conf(5) for syntax and examples; this sample > > ruleset uses > > # require-order to permit mixing of NAT/RDR and filter rules. > > # Remember to set net.inet.ip.forwarding=1 and/or > > net.inet6.ip6.forwarding=1 > > # in /etc/sysctl.conf if packets are to be forwarded > > between interfaces. > > > > ext_if="em0" > > int_if="em1" > > > > set loginterface $ext_if > > set require-order no > > set skip on lo > > scrub in all > > > > # NAT/filter rules and anchors for ftp-proxy(8) > > #nat-anchor "ftp-proxy/*" > > #rdr-anchor "ftp-proxy/*" > > nat on $ext_if from ($int_if:network) -> ($ext_if) > > #rdr pass on ! egress proto tcp to port ftp -> 127.0.0.1 > > port 8021 > > #anchor "ftp-proxy/*" > > #pass out proto tcp from $proxy to any port ftp > > > > # NAT/filter rules and anchors for relayd(8) > > #rdr-anchor "relayd/*" > > #anchor "relayd/*" > > > > # NAT rules and anchors for spamd(8) > > #table persist > > #table persist file "/etc/mail/nospamd" > > #no rdr on egress proto tcp from to any port smtp > > #no rdr on egress proto tcp from to any port smtp > > #rdr pass on egress proto tcp from any to any port smtp > > -> 127.0.0.1 port > > spamd > > > > #block in > > pass in > > pass out > > > > #pass in on $int_if proto tcp to any port 80 > > > > #block in quick from urpf-failed to any # use with care > > > > # By default, do not permit remote connections to X11 > > block in on ! lo0 proto tcp from any to any port 6000 > > > > antispoof for ext_if > > > > Hello, > > > > > Please can you help me with this : > > > > > > I just installed the 4.5 OpenBSD, set up the inet forwarding for > > > unicast and multicase, include the standard NAT rule in > > pf.conf such > > > as : nat on $ext_if from ($int_if:network) -> ($ext_if) > > > enable pf > > > check with pfctl -s nat that the correct rule is set. > > > > > > That does not work, with tcpdump i see that packets are not > > > forwarded, i see them on int_if but not on ext_if. > > > > > > Can you give me some help to find out where the problem is ? > > > > > > Thanks. > > > > > > > > Because you dont have a pass rule they get blocked? > > Guessing only goes so far. > > > > Tell us what you want to do. > > Tell us what you tried to get it working. > > Tell us what is in your relevant configs. > > > > Perhaps then someone can tell you what to do. > > > > - Robert > > > > Do you have sysctl net.inet.ip.forwarding=1? As described on > > top of pf.conf? > > > Have you booted since?
Re: problems setting up a firewall with nat
Dorian B|ttner wrote: > Jean-Frangois SIMON schrieb: > > Hello James, > > If no output to parse means no errors, and verbose mode > just repeat all the > > lines of the pf.conf, then yes it parses. > > > > pflog0 keeps silent, nothing in here while trying to > connect from the subnet > > to the internet. > > > > 2009/5/10 James Records > > > > > >> Does your pf.conf parse? Try pfctl -nf /etc/pf.conf if > it's not parsing it > >> will not load and behave as you describe also tcpdump on the pflog > >> > > interface > > > >> as well to give yourself another data point > >> > >> J > >> > >> Sent from my iPhone > >> > >> On May 9, 2009, at 3:05 PM, Jean-Frangois SIMON > > >> wrote: > >> > >> Sorry for forgotting the rest, here you are : > >> > >>> ext_if is actlually working, configures to an adsl box > using DHCP and > >>> actually lynx displays pages. > >>> > >>> int_if is the local network that I want to go through > openbsd box to > >>> access > >>> to internet so I can filter with pf. > >>> > >>> The configuration is a standard nat rule + packet > forwarding between the > >>> two > >>> interfaces so called em0 and em1 resp ext_if and int_if. > >>> > >>> As indicated before, I have pf enables, inet forward > lines uncommented in > >>> sysctl.con > >>> > >>> Packets are received on int_if but not forwarded to ext_if. > >>> > >>> Did I miss something ? Here below pf.conf > >>> > >>> 2009/5/9 Robert > >>> > >>> On Sat, 9 May 2009 22:52:32 +0200 > >>> > Jean-Frangois SIMON wrote: > # cat /etc/pf.conf > # $OpenBSD: pf.conf,v 1.38 2009/02/23 01:18:36 > deraadt Exp $ > # > # See pf.conf(5) for syntax and examples; this sample > ruleset uses > # require-order to permit mixing of NAT/RDR and filter rules. > # Remember to set net.inet.ip.forwarding=1 and/or > net.inet6.ip6.forwarding=1 > # in /etc/sysctl.conf if packets are to be forwarded > between interfaces. > > ext_if="em0" > int_if="em1" > > set loginterface $ext_if > set require-order no > set skip on lo > scrub in all > > # NAT/filter rules and anchors for ftp-proxy(8) > #nat-anchor "ftp-proxy/*" > #rdr-anchor "ftp-proxy/*" > nat on $ext_if from ($int_if:network) -> ($ext_if) > #rdr pass on ! egress proto tcp to port ftp -> 127.0.0.1 > port 8021 > #anchor "ftp-proxy/*" > #pass out proto tcp from $proxy to any port ftp > > # NAT/filter rules and anchors for relayd(8) > #rdr-anchor "relayd/*" > #anchor "relayd/*" > > # NAT rules and anchors for spamd(8) > #table persist > #table persist file "/etc/mail/nospamd" > #no rdr on egress proto tcp from to any port smtp > #no rdr on egress proto tcp from to any port smtp > #rdr pass on egress proto tcp from any to any port smtp > -> 127.0.0.1 port > spamd > > #block in > pass in > pass out > > #pass in on $int_if proto tcp to any port 80 > > #block in quick from urpf-failed to any # use with care > > # By default, do not permit remote connections to X11 > block in on ! lo0 proto tcp from any to any port 6000 > > antispoof for ext_if > > Hello, > > > Please can you help me with this : > > > > I just installed the 4.5 OpenBSD, set up the inet forwarding for > > unicast and multicase, include the standard NAT rule in > pf.conf such > > as : nat on $ext_if from ($int_if:network) -> ($ext_if) > > enable pf > > check with pfctl -s nat that the correct rule is set. > > > > That does not work, with tcpdump i see that packets are not > > forwarded, i see them on int_if but not on ext_if. > > > > Can you give me some help to find out where the problem is ? > > > > Thanks. > > > > > Because you dont have a pass rule they get blocked? > Guessing only goes so far. > > Tell us what you want to do. > Tell us what you tried to get it working. > Tell us what is in your relevant configs. > > Perhaps then someone can tell you what to do. > > - Robert > > Do you have sysctl net.inet.ip.forwarding=1? As described on > top of pf.conf? > Have you booted since?
Re: problems setting up a firewall with nat
Jean-Frangois SIMON schrieb: Hello James, If no output to parse means no errors, and verbose mode just repeat all the lines of the pf.conf, then yes it parses. pflog0 keeps silent, nothing in here while trying to connect from the subnet to the internet. 2009/5/10 James Records Does your pf.conf parse? Try pfctl -nf /etc/pf.conf if it's not parsing it will not load and behave as you describe also tcpdump on the pflog interface as well to give yourself another data point J Sent from my iPhone On May 9, 2009, at 3:05 PM, Jean-Frangois SIMON wrote: Sorry for forgotting the rest, here you are : ext_if is actlually working, configures to an adsl box using DHCP and actually lynx displays pages. int_if is the local network that I want to go through openbsd box to access to internet so I can filter with pf. The configuration is a standard nat rule + packet forwarding between the two interfaces so called em0 and em1 resp ext_if and int_if. As indicated before, I have pf enables, inet forward lines uncommented in sysctl.con Packets are received on int_if but not forwarded to ext_if. Did I miss something ? Here below pf.conf 2009/5/9 Robert On Sat, 9 May 2009 22:52:32 +0200 Jean-Frangois SIMON wrote: # cat /etc/pf.conf # $OpenBSD: pf.conf,v 1.38 2009/02/23 01:18:36 deraadt Exp $ # # See pf.conf(5) for syntax and examples; this sample ruleset uses # require-order to permit mixing of NAT/RDR and filter rules. # Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1 # in /etc/sysctl.conf if packets are to be forwarded between interfaces. ext_if="em0" int_if="em1" set loginterface $ext_if set require-order no set skip on lo scrub in all # NAT/filter rules and anchors for ftp-proxy(8) #nat-anchor "ftp-proxy/*" #rdr-anchor "ftp-proxy/*" nat on $ext_if from ($int_if:network) -> ($ext_if) #rdr pass on ! egress proto tcp to port ftp -> 127.0.0.1 port 8021 #anchor "ftp-proxy/*" #pass out proto tcp from $proxy to any port ftp # NAT/filter rules and anchors for relayd(8) #rdr-anchor "relayd/*" #anchor "relayd/*" # NAT rules and anchors for spamd(8) #table persist #table persist file "/etc/mail/nospamd" #no rdr on egress proto tcp from to any port smtp #no rdr on egress proto tcp from to any port smtp #rdr pass on egress proto tcp from any to any port smtp -> 127.0.0.1 port spamd #block in pass in pass out #pass in on $int_if proto tcp to any port 80 #block in quick from urpf-failed to any # use with care # By default, do not permit remote connections to X11 block in on ! lo0 proto tcp from any to any port 6000 antispoof for ext_if Hello, Please can you help me with this : I just installed the 4.5 OpenBSD, set up the inet forwarding for unicast and multicase, include the standard NAT rule in pf.conf such as : nat on $ext_if from ($int_if:network) -> ($ext_if) enable pf check with pfctl -s nat that the correct rule is set. That does not work, with tcpdump i see that packets are not forwarded, i see them on int_if but not on ext_if. Can you give me some help to find out where the problem is ? Thanks. Because you dont have a pass rule they get blocked? Guessing only goes so far. Tell us what you want to do. Tell us what you tried to get it working. Tell us what is in your relevant configs. Perhaps then someone can tell you what to do. - Robert Do you have sysctl net.inet.ip.forwarding=1? As described on top of pf.conf?
Re: problems setting up a firewall with nat
Hello James, If no output to parse means no errors, and verbose mode just repeat all the lines of the pf.conf, then yes it parses. pflog0 keeps silent, nothing in here while trying to connect from the subnet to the internet. 2009/5/10 James Records > Does your pf.conf parse? Try pfctl -nf /etc/pf.conf if it's not parsing it > will not load and behave as you describe also tcpdump on the pflog interface > as well to give yourself another data point > > J > > Sent from my iPhone > > On May 9, 2009, at 3:05 PM, Jean-Frangois SIMON > wrote: > > Sorry for forgotting the rest, here you are : >> ext_if is actlually working, configures to an adsl box using DHCP and >> actually lynx displays pages. >> >> int_if is the local network that I want to go through openbsd box to >> access >> to internet so I can filter with pf. >> >> The configuration is a standard nat rule + packet forwarding between the >> two >> interfaces so called em0 and em1 resp ext_if and int_if. >> >> As indicated before, I have pf enables, inet forward lines uncommented in >> sysctl.con >> >> Packets are received on int_if but not forwarded to ext_if. >> >> Did I miss something ? Here below pf.conf >> >> 2009/5/9 Robert >> >> On Sat, 9 May 2009 22:52:32 +0200 >>> Jean-Frangois SIMON wrote: >>> # cat /etc/pf.conf >>> # $OpenBSD: pf.conf,v 1.38 2009/02/23 01:18:36 deraadt Exp $ >>> # >>> # See pf.conf(5) for syntax and examples; this sample ruleset uses >>> # require-order to permit mixing of NAT/RDR and filter rules. >>> # Remember to set net.inet.ip.forwarding=1 and/or >>> net.inet6.ip6.forwarding=1 >>> # in /etc/sysctl.conf if packets are to be forwarded between interfaces. >>> >>> ext_if="em0" >>> int_if="em1" >>> >>> set loginterface $ext_if >>> set require-order no >>> set skip on lo >>> scrub in all >>> >>> # NAT/filter rules and anchors for ftp-proxy(8) >>> #nat-anchor "ftp-proxy/*" >>> #rdr-anchor "ftp-proxy/*" >>> nat on $ext_if from ($int_if:network) -> ($ext_if) >>> #rdr pass on ! egress proto tcp to port ftp -> 127.0.0.1 port 8021 >>> #anchor "ftp-proxy/*" >>> #pass out proto tcp from $proxy to any port ftp >>> >>> # NAT/filter rules and anchors for relayd(8) >>> #rdr-anchor "relayd/*" >>> #anchor "relayd/*" >>> >>> # NAT rules and anchors for spamd(8) >>> #table persist >>> #table persist file "/etc/mail/nospamd" >>> #no rdr on egress proto tcp from to any port smtp >>> #no rdr on egress proto tcp from to any port smtp >>> #rdr pass on egress proto tcp from any to any port smtp -> 127.0.0.1 port >>> spamd >>> >>> #block in >>> pass in >>> pass out >>> >>> #pass in on $int_if proto tcp to any port 80 >>> >>> #block in quick from urpf-failed to any # use with care >>> >>> # By default, do not permit remote connections to X11 >>> block in on ! lo0 proto tcp from any to any port 6000 >>> >>> antispoof for ext_if >>> >>> Hello, Please can you help me with this : I just installed the 4.5 OpenBSD, set up the inet forwarding for unicast and multicase, include the standard NAT rule in pf.conf such as : nat on $ext_if from ($int_if:network) -> ($ext_if) enable pf check with pfctl -s nat that the correct rule is set. That does not work, with tcpdump i see that packets are not forwarded, i see them on int_if but not on ext_if. Can you give me some help to find out where the problem is ? Thanks. >>> >>> >>> Because you dont have a pass rule they get blocked? >>> Guessing only goes so far. >>> >>> Tell us what you want to do. >>> Tell us what you tried to get it working. >>> Tell us what is in your relevant configs. >>> >>> Perhaps then someone can tell you what to do. >>> >>> - Robert
Re: problems setting up a firewall with nat
Sorry for forgotting the rest, here you are : ext_if is actlually working, configures to an adsl box using DHCP and actually lynx displays pages. int_if is the local network that I want to go through openbsd box to access to internet so I can filter with pf. The configuration is a standard nat rule + packet forwarding between the two interfaces so called em0 and em1 resp ext_if and int_if. As indicated before, I have pf enables, inet forward lines uncommented in sysctl.con Packets are received on int_if but not forwarded to ext_if. Did I miss something ? Here below pf.conf 2009/5/9 Robert > On Sat, 9 May 2009 22:52:32 +0200 > Jean-Frangois SIMON wrote: > # cat /etc/pf.conf > # $OpenBSD: pf.conf,v 1.38 2009/02/23 01:18:36 deraadt Exp $ > # > # See pf.conf(5) for syntax and examples; this sample ruleset uses > # require-order to permit mixing of NAT/RDR and filter rules. > # Remember to set net.inet.ip.forwarding=1 and/or > net.inet6.ip6.forwarding=1 > # in /etc/sysctl.conf if packets are to be forwarded between interfaces. > > ext_if="em0" > int_if="em1" > > set loginterface $ext_if > set require-order no > set skip on lo > scrub in all > > # NAT/filter rules and anchors for ftp-proxy(8) > #nat-anchor "ftp-proxy/*" > #rdr-anchor "ftp-proxy/*" > nat on $ext_if from ($int_if:network) -> ($ext_if) > #rdr pass on ! egress proto tcp to port ftp -> 127.0.0.1 port 8021 > #anchor "ftp-proxy/*" > #pass out proto tcp from $proxy to any port ftp > > # NAT/filter rules and anchors for relayd(8) > #rdr-anchor "relayd/*" > #anchor "relayd/*" > > # NAT rules and anchors for spamd(8) > #table persist > #table persist file "/etc/mail/nospamd" > #no rdr on egress proto tcp from to any port smtp > #no rdr on egress proto tcp from to any port smtp > #rdr pass on egress proto tcp from any to any port smtp -> 127.0.0.1 port > spamd > > #block in > pass in > pass out > > #pass in on $int_if proto tcp to any port 80 > > #block in quick from urpf-failed to any # use with care > > # By default, do not permit remote connections to X11 > block in on ! lo0 proto tcp from any to any port 6000 > > antispoof for ext_if > > > Hello, > > Please can you help me with this : > > > > I just installed the 4.5 OpenBSD, set up the inet forwarding for > > unicast and multicase, include the standard NAT rule in pf.conf such > > as : nat on $ext_if from ($int_if:network) -> ($ext_if) > > enable pf > > check with pfctl -s nat that the correct rule is set. > > > > That does not work, with tcpdump i see that packets are not > > forwarded, i see them on int_if but not on ext_if. > > > > Can you give me some help to find out where the problem is ? > > > > Thanks. > > > Because you dont have a pass rule they get blocked? > Guessing only goes so far. > > Tell us what you want to do. > Tell us what you tried to get it working. > Tell us what is in your relevant configs. > > Perhaps then someone can tell you what to do. > > - Robert
Re: problems setting up a firewall with nat
On Sat, 9 May 2009 22:52:32 +0200 Jean-Frangois SIMON wrote: > Hello, > Please can you help me with this : > > I just installed the 4.5 OpenBSD, set up the inet forwarding for > unicast and multicase, include the standard NAT rule in pf.conf such > as : nat on $ext_if from ($int_if:network) -> ($ext_if) > enable pf > check with pfctl -s nat that the correct rule is set. > > That does not work, with tcpdump i see that packets are not > forwarded, i see them on int_if but not on ext_if. > > Can you give me some help to find out where the problem is ? > > Thanks. Because you dont have a pass rule they get blocked? Guessing only goes so far. Tell us what you want to do. Tell us what you tried to get it working. Tell us what is in your relevant configs. Perhaps then someone can tell you what to do. - Robert
problems setting up a firewall with nat
Hello, Please can you help me with this : I just installed the 4.5 OpenBSD, set up the inet forwarding for unicast and multicase, include the standard NAT rule in pf.conf such as : nat on $ext_if from ($int_if:network) -> ($ext_if) enable pf check with pfctl -s nat that the correct rule is set. That does not work, with tcpdump i see that packets are not forwarded, i see them on int_if but not on ext_if. Can you give me some help to find out where the problem is ? Thanks.