PF firewall NAT example from handbook doesn't work

squirrel

squirrel

I'm trying to build a gateway machine for my home network. The firewall needs to block everything from outside by default, and allow anything originating from inside. Obviously I will need NAT to translate between the internal/external address spaces.

I've never used PF on FreeBSD, so I decided to build my rules up from simple examples. I

I first tried the example NAT ruleset from the FreeBSD Handbook and it seem to pass any traffic from internal hosts at all.

Code: 
ext_if = "igb0"    # macro for external interface - use tun0 for PPPoE
int_if = "igb1"    # macro for internal interface
localnet = $int_if:network
# ext_if IP address could be dynamic, hence ($ext_if)
nat on $ext_if from $localnet to any -> ($ext_if)
block all
pass from { lo0, $localnet } to any keep state

If I remove the block all, then it seems to work.

I found another similar ruleset online:

Code: 
ext_if="igb0" # change this

set skip on lo0

nat on $ext_if from any to any -> ($ext_if)

block in on $ext_if

and that passes traffic fine. I'm confused about the role for block in these two examples.

Either the rules from the handbook are incomplete or incorrect. What am I missing?
 
Though I'd still welcome an explanation, it seems that for the Handbook example above to work, the final 'pass' line has to be changed to:

Code: 
pass from { self, $localnet } to any keep state

I.e. 'self' not 'lo0'.
 
You probably want to look at something like this (includes comments)
forums.freebsd.org

Generic NAT firewall pf config / template

People seem to run into issues from time to time so I figured that I'd provide a sample config that pretty much mimics your generic SOHO router/gateway. ################################# #### Packet Firewall Ruleset #### ################################# ################### #### Variables...
forums.freebsd.org forums.freebsd.org
 
You must log in or register to reply here.
Back
Top