help with new nat rules in pf

W

wonslung

I recently upgraded to 9.0 and I'm noticing none of my NAT rules work anymore.

Here is my old pf.conf;

Code: 
#------------------------------------------------------------------------
# macros
#------------------------------------------------------------------------
# interfaces
ext_if  = "em1"
int_if  = "em0"
wifi_if = "wlan0"
#protocol
icmp_types = "{ echoreq, unreach }"
#hosts
rtor = "192.168.1.61"
scp_j = "192.168.1.53"
ub = "192.168.1.50"
Xbox360 = "{ 192.168.1.22, 192.168.1.24 }"
ps3	= " { 192.168.1.23 }"
ssh_zone = "192.168.1.55"
raidz = "{ 192.168.1.14, 192.168.1.15 }"
#ports
Xlive_tcp = "{ http, https, 3074 }"
Xlive_udp = "{ 88, 3074 }"
ps3_tcp  = "{ http, https, 5223 }"
ps3_udp  = "{ 5223, 3478, 3479, 3658 }"
rtor_ports = "{http, https }"
bittorrent = "{ 51000, 51001, 51002 }"
www  = "{ http, https }"
ntop = 3000
#nets
lan_net = "{ 192.168.1.0/24, 192.168.2.0/24 }"
priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
# config
#------------------------------------------------------------------------
# options
#------------------------------------------------------------------------
# config
set block-policy drop
set loginterface $ext_if
set skip on lo0
set skip on lo1
set optimization conservative
# scrub
scrub in on $int_if all no-df
scrub out on $int_if all no-df
scrub on $ext_if all no-df random-id reassemble tcp fragment reassemble

#--------------------------------------------------
#queue
#---------------------------------------------------
### FIOS Upload = 15Mb/s (queue at 97%)
 altq on $ext_if bandwidth 14.55Mb hfsc queue { ack, dns, ssh, games, web, mail, bulk, bittor }
  queue ack        bandwidth 30% priority 8 qlimit 500 hfsc (realtime   20%)
  queue dns        bandwidth  5% priority 7 qlimit 500 hfsc (realtime    5%)
  queue ssh        bandwidth 10% priority 6 qlimit 500 hfsc (realtime   15%) {ssh_login, ssh_bulk}
   queue ssh_login bandwidth 50% priority 6 qlimit 500 hfsc
   queue ssh_bulk  bandwidth 50% priority 5 qlimit 500 hfsc
  queue games      bandwidth 10% priority 5 qlimit 500 hfsc (realtime   5%)
  queue bulk       bandwidth 20% priority 4 qlimit 500 hfsc (realtime   20% default)
  queue web        bandwidth  5% priority 3 qlimit 500 hfsc (realtime  (10%, 10000, 5%) )
  queue mail       bandwidth  5% priority 2 qlimit 500 hfsc (realtime    5%)
  queue bittor     bandwidth  1% priority 1 qlimit 500 hfsc (upperlimit 95%)

#------------------------------------------------------------------------
# redirection (and nat, too!)
#------------------------------------------------------------------------
# network address translation
#nat on egress from (self)         to any tag EGRESS -> ($ext_if:0) port 1024:65535
nat on egress from $int_if:network to any tag EGRESS -> ($ext_if:0) port 1024:65535
nat on $ext_if from $Xbox360 to any -> ($ext_if:0) static-port
nat on $ext_if from $ps3     to any -> ($ext_if:0) static-port
nat on $ext_if from $lan_net to any -> ($ext_if)
nat on $ext_if from 10.0.0.0/24 to any -> ($ext_if)
no nat on $int_if proto tcp from $int_if to $lan_net
nat on $int_if proto tcp from $lan_net to $rtor port $rtor_ports -> $int_if
no nat on $wifi_if proto tcp from $wifi_if to $lan_net
nat on $wifi_if proto tcp from $lan_net to $rtor port $rtor_ports -> $wifi_if
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr on $int_if inet proto tcp from any to any port 21 -> 127.0.0.1 port 8021
rdr on $wifi_if inet proto tcp from any to any port 21 -> 127.0.0.1 port 8021
rdr on $ext_if inet proto tcp from any to ($ext_if) port $rtor_ports -> $rtor
rdr on $ext_if inet proto tcp from any to ($ext_if) port 50022 -> $ssh_zone port ssh
rdr on $ext_if inet proto tcp from any to ($ext_if) port $bittorrent -> $rtor
rdr on $ext_if inet proto tcp from any to ($ext_if) port 52001:52101 -> $ub
rdr on $int_if inet proto tcp from $lan_net to ($ext_if) port $rtor_ports -> $rtor
rdr on $wifi_if inet proto tcp from $lan_net to ($ext_if) port $rtor_ports -> $rtor
rdr on $ext_if inet proto udp from any to ($ext_if) port $Xlive_udp tag XBOX360 -> $Xbox360
rdr on $ext_if inet proto tcp from any to ($ext_if) port $Xlive_tcp tag XBOX360 -> $Xbox360
rdr on $ext_if inet proto udp from any to ($ext_if) port $ps3_udp tag PS3 -> $ps3
rdr on $ext_if inet proto tcp from any to ($ext_if) port $ps3_tcp tag PS3 -> $ps3
rdr on $ext_if inet proto tcp from any to ($ext_if) port 9293 tag PSP -> $ps3

#rdr on $int_if inet proto tcp from any to any port www -> 10.0.0.1 port 3128
#rdr on $int_if inet proto tcp from any to any port 8080 -> 10.0.0.2 port www
#rdr on $wifi_if inet proto tcp from any to any port www -> 10.0.0.1 port 3128

#------------------------------------------------------------------------
# firewall policy
#------------------------------------------------------------------------
# restrictive default rules
block log all
block drop quick log on $ext_if from $priv_nets to any
anchor "ftp-proxy/*"
# anti spoofing
antispoof for { $int_if, $wifi_if, $ext_if }
#-----------------------
#pass any to any
#------------------------
pass inet proto icmp all icmp-type $icmp_types keep state
pass quick on $int_if keep state
pass quick on $wifi_if keep state
pass log proto tcp from any to $rtor port $rtor_ports synproxy state queue (web, ack)
pass log proto tcp from any to $rtor port $bittorrent synproxy state queue (bittor, ack)
pass log proto tcp from any to $ub port 52001:52101 synproxy state queue (bittor, ack)
pass log proto tcp from any to $rtor port ssh synproxy state queue (ssh_bulk, ssh_login)
pass log proto tcp from any to 192.168.1.1 port $ntop synproxy state queue (bulk)
pass log proto tcp from any to $ssh_zone port ssh synproxy state queue (ssh_bulk, ssh_login)
pass log proto tcp from any to $rtor port 10000:10040 synproxy state queue (bittor, ack)
pass out from any to any keep state queue (bulk, ack)
#-------------------------
#pass ext_if in
#--------------------------
pass in quick on $ext_if inet proto tcp from any to any port 50022 keep state queue (ssh_bulk, ssh_login)
pass in quick log on $ext_if inet proto udp from any to $Xbox360 port $Xlive_udp keep state queue (games, ack) tagged XBOX360
pass in quick log on $ext_if inet proto tcp from any to $Xbox360 port $Xlive_tcp flags S/SAFR synproxy state queue (games, ack) tagged XBOX360
pass in quick log on $ext_if inet proto udp from any to $ps3 port $ps3_udp keep state queue (games, ack) tagged PS3
pass in quick log on $ext_if inet proto tcp from any to $ps3 port $ps3_tcp flags S/SAFR synproxy state queue (games, ack) tagged PS3
pass in quick log on $ext_if inet proto tcp from any to $ps3 port 9293 keep state queue (games, ack) tagged PSP
#---------------------------
#pass int_if in
#------------------------
pass in on $int_if inet proto tcp from any to 10.0.0.1 port 3128 keep state
pass in quick log on $int_if inet proto udp  from $Xbox360 to any port $Xlive_udp keep state queue (games, ack)
pass in quick log on $int_if inet proto tcp  from $Xbox360 to any port $Xlive_tcp flags S/SAFR synproxy state queue (games, ack)
pass in quick log on $int_if inet proto udp  from $ps3 to any port $ps3_udp keep state queue (games, ack)
pass in quick log on $int_if inet proto tcp  from $ps3 to any port $ps3_tcp flags S/SAFR synproxy state queue (games, ack)
#----------------------------------------
#pass int_if out
#--------------------------------------
pass out quick log on $int_if inet proto udp from any to $Xbox360 port $Xlive_udp keep state queue (games, ack) tagged XBOX360
pass out quick log on $int_if inet proto tcp from any to $Xbox360 port $Xlive_tcp flags S/SAFR synproxy state queue (games, ack) tagged XBOX360
pass out quick log on $int_if inet proto udp from any to $ps3 port $ps3_udp keep state queue (games, ack) tagged PS3
pass out quick log on $int_if inet proto tcp from any to $ps3 port $ps3_tcp flags S/SAFR synproxy state queue (games, ack) tagged PS3
#--------------------------------------
#pass ext_if out
#---------------------------------------
pass out on $ext_if inet proto tcp from any to any port $www keep state queue (web, ack)
pass out on $ext_if inet proto udp from any to any port 33433 >< 33626 keep state
pass out on $ext_if proto tcp all modulate state flags S/SA queue (bulk, ack)
pass out on $ext_if inet proto tcp from ($ext_if) to any flags S/SA modulate state queue (bulk, ack)
pass out on $ext_if proto { udp,icmp } all keep state
pass out quick on $ext_if inet proto tcp from $rtor to any keep state queue (bittor)
pass out quick on $ext_if inet proto tcp from any to any port $bittorrent keep state queue (bittor)

If anyone can help me sort this I'd be majorly in dept to you.
 
I was mainly having issues with the NAT rules.

The routing seems to be working, but a lot of the rule syntax is different and I don't really understand it yet, but I fixed my no-nat rules by using split dns instead.

I could still use a lot of help with my other rules.
 
The PR I linked is related to NAT issues with pf(4). I don't really understand what you mean by "rule syntax is different"? There's has been zero changes in pf.conf(5) syntax in 9.0 compared to previous versions, could you elaborate?
 
This was me being confused. I was thinking it was pf version 4.7

when "no nat" rules didn't work, i got confused...Thanks for everything.
 
You must log in or register to reply here.
Back
Top