NAT in PF

/etc/rc.conf
Code:
ifconfig_em0="DHCP"
ifconfig_em1="192.168.2.1"
ifconfig_em2="192.168.3.1"
ifconfig_em3="192.168.4.1"
# PF
pf_enable="YES"
pf_rules="/etc/pf.conf"
pflog_enable="YES"
pflog_logfile="/var/log/pflog"

gateway_enable="YES"

/etc/sysctl.conf
Code:
net.inet.ip.forwarding=1

I am studying the PF but I have many doubts
and must put the network to function

I need to convert this rule in Iptables to PF
Code:
REDE=192.168.0.0/16
iptables -t nat -a POSTROUTING -s $REDE -o eth0 -j MASQUERADE
iptables -t nat -A PREROUTING -D 192.168.1.102 -p tcp --dport 22 -j DNAT --to 192.168.2.10:22

This is the basic to operate the network
 
douglasfim said:
/etc/sysctl.conf
Code:
net.inet.ip.forwarding=1
This already gets set by the "gateway_enable" in rc.conf. No need to explicitly set it.

I need to convert this rule in Iptables to PF
Code:
REDE=192.168.0.0/16
iptables -t nat -a POSTROUTING -s $REDE -o eth0 -j MASQUERADE
iptables -t nat -A PREROUTING -D 192.168.1.102 -p tcp --dport 22 -j DNAT --to 192.168.2.10:22

Code:
ext_if=eth0
rede="{192.168.0.0/16}"

nat on $ext_if from $rede to any -> ($ext_if)
rdr on $ext_if inet proto tcp to port 22 -> 192.168.1.102 22
 
# more pf.conf
Code:
# Regra padrao
pass in all

# define macros for each network interface
INET=em0
ILAN1=em1
ILAN2=em2
ILAN3=em3
IP_EXT="{ 192.168.1.1 }"
REDE="{ 192.168.0.0/16 }"
#tcp_services="{ 22, 443 }"

#scrub in all

#############
# NAT Rules #
#############
nat on $INET from $REDE to any -> ($INET)

#############
# Route Rules
#############
rdr on $INET inet proto tcp to port 22 -> 192.168.2.2 22

# /etc/rc.d/pf start
Code:
Enabling pf/etc/pf.conf:18: Rules must be in order: options, normalization, queueing, translation, filtering
/etc/pf.conf:23: syntax error
pfctl: Syntax error in config file: pf rules not loaded
.
 
'pass' is filtering, 'nat/rdr' is translation. They're in the wrong order in your ruleset.

[cmd=]man 5 pf.conf | less +/^STATEMENT[/cmd]
 
# more /etc/pf.conf
Code:
####################
#      MACROS      #
####################
INET=em0
#ILAN1=em1
#ILAN2=em2
#ILAN3=em3
#IP_EXT="{ 192.168.1.1 }"
REDE="{ 192.168.0.0/16 }"
#tcp_services="{ 22, 443 }"

####################
#      TABLES      #
####################

####################
#     OPTIONS      #
####################

####################
#     TRAFFIC      #
####################

####################
#     QUEUEING     #
####################

####################
#   TRANSLATION    #
####################
nat on $INET from $REDE to any -> ($INET)
rdr on $INET inet proto tcp to port 22 -> 192.168.2.2 22

####################
# PACKET FILTERING #
####################
pass in all

# /etc/rc.d/pf start
Code:
Enabling pf/etc/pf.conf:32: syntax error
pfctl: Syntax error in config file: pf rules not loaded
.
 
I edited

Code:
rdr on $ INET inet proto tcp to port 22 -> 192.168.2.2 22
to
Code:
rdr on $ INET inet proto tcp to port 22 -> 192.168.2.2 port 22

and everything worked, but I lost connection SSH
How do I release the SSH connection?

Code:
pass in all
did not release all
 
If 192.168.2.2 is behind a different interface, you'll probably need to allow 'pass out' on that one. Also make sure you have
Code:
set skip on lo0
somewhere. Without free traffic over loopback almost everything start acting strange.

Setting up pflog(4) and running tcpdump(1) on the interfaces and on pflog is the first step in troubleshooting.
 
Back
Top