I (still) have an unresolved issue with my work firewall
(1.2-RC2) which I could really use some help with.
To recap, my configuration (which works just fine, but)
looks like this, with the last octet xxxed out in
strategic places:
# ifconfig -a
bge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=1b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING>
inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255
inet6 fe80::21b:24ff:fe2d:b00b%bge0 prefixlen 64 scopeid 0x1
ether 00:1b:24:2d:b0:0b
media: Ethernet autoselect (1000baseTX <full-duplex>)
status: active
bge1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=1b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING>
inet6 fe80::21b:24ff:fe2d:b00c%bge1 prefixlen 64 scopeid 0x2
inet 10.0.2.6 netmask 0xfffffffc broadcast 10.0.2.7
ether 00:1b:24:2d:b0:0c
media: Ethernet autoselect (1000baseTX <full-duplex>)
status: active
enc0: flags=41<UP,RUNNING> mtu 1536
pflog0: flags=100<PROMISC> mtu 33208
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
inet 127.0.0.1 netmask 0xff000000
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
pfsync0: flags=41<UP,RUNNING> mtu 2020
pfsync: syncdev: lo0 syncpeer: 224.0.0.240 maxupd: 128
vlan0: flags=9843<UP,BROADCAST,RUNNING,SIMPLEX,LINK0,MULTICAST> mtu 1500
inet 62.245.148.xxx netmask 0xffffffc0 broadcast 62.245.148.xxx
inet6 fe80::21b:24ff:fe2d:b00b%vlan0 prefixlen 64 scopeid 0x7
ether 00:1b:24:2d:b0:0c
media: Ethernet autoselect (1000baseTX <full-duplex>)
status: active
vlan: 3 parent interface: bge1
(the vlan0 is due to a switch VLAN since I can only use 2 NICs
out of 4 at the moment, until FreeBSD 7.x lands) and the ISP is
rewriting the traffic originating from 10.0.2.6 to appear as if
coming from 62.245.254.xxx.
# pfctl -s nat
nat-anchor "pftpx/*" all
nat-anchor "natearly/*" all
nat-anchor "natrules/*" all
nat on bge1 inet from 192.168.0.0/24 to any -> (bge1) round-robin
rdr-anchor "pftpx/*" all
rdr-anchor "slb" all
no rdr on bge0 proto tcp from any to <vpns> port = ftp
rdr on bge0 inet proto tcp from any to any port = ftp -> 127.0.0.1 port 8021
rdr-anchor "imspector" all
rdr-anchor "miniupnpd" all
What I'm trying to do is to formulate the pf equivalent of
(Linux) iptables ... -j SNAT --to-source 62.245.148.xxx
I've tried adding some via Firewall->(advanced)NAT->Outbound which
resulted in
nat on bge1 inet from 192.168.0.0/24 to 62.245.148.xxx -> (bge1)
round-robin
which has no effect if added to the existing
nat on bge1 inet from 192.168.0.0/24 to any -> (bge1) round-robin
rule, and if used alone removes connectivity of machines behind NAT
(the firewall still works fine, and whenever I check my apparent IP
by
fetch http://whatismyip.com && cat whatismyip.com | grep
'WhatIsMyIP.com -'
it's unchanged).
So I'm stuck with doing something stupid, and could really use a rule
or a pfctl incantation to try that rule, which does the equivalent of
iptables ... -j SNAT --to-source 62.245.148.xxx
?
Can I has a nice rule plz? Kthx.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
