From nobody@FreeBSD.org  Sat Dec 29 19:09:34 2007
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 1584216A418
	for <freebsd-gnats-submit@FreeBSD.org>; Sat, 29 Dec 2007 19:09:34 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id 0381413C448
	for <freebsd-gnats-submit@FreeBSD.org>; Sat, 29 Dec 2007 19:09:34 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.2/8.14.2) with ESMTP id lBTJ8qhh032657
	for <freebsd-gnats-submit@FreeBSD.org>; Sat, 29 Dec 2007 19:08:52 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.2/8.14.1/Submit) id lBTJ8qwD032656;
	Sat, 29 Dec 2007 19:08:52 GMT
	(envelope-from nobody)
Message-Id: <200712291908.lBTJ8qwD032656@www.freebsd.org>
Date: Sat, 29 Dec 2007 19:08:52 GMT
From: Faysal Banna <degreane@gmail.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: FreeBSD router  PF  nating internal to external network not working
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         119139
>Category:       misc
>Synopsis:       FreeBSD router  PF  nating internal to external network not working
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    csjp
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Dec 29 19:10:00 UTC 2007
>Closed-Date:    Sat Dec 29 19:30:48 UTC 2007
>Last-Modified:  Sat Dec 29 19:50:01 UTC 2007
>Originator:     Faysal Banna
>Release:        FreeBSD 7 beta4
>Organization:
comnet
>Environment:
FreeBSD FBSD.comnet.net.lb 7.0-BETA4 FreeBSD 7.0-BETA4 #0: Fri Dec 28 16:50:46 EET 2007     root@FBSD.comnet.net.lb:/usr/obj/usr/src/sys/FAYSAL  i386
>Description:
Good Day.
I am trying to use FreeBSD as a router/nat box i set up PF (packet filter ) as described in the manual and did all whats necessary to the kernel enabled the pf in /etc/rc.conf .....
after like three hours of struggeling to make the system work as a router/nat box i failed ..
i was able to connect to the box ssh to it from both network cards i have no problem with that .. and i was able to tcpdump both network cards ....

the system is connected to two network cards rl0 and rl1 respectively 
In the PF pfctl interface i only to test did this 

echo "block quick all " | pfctl -f - 

and for my surprise i was always able to connect to the box and it didn't block me out which looks like the pf is not reached or touched .....

here is a list check it out 

this should illustrate what i mean 


FBSD# ifconfig
rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=8<VLAN_MTU>
        ether 00:40:f4:eb:67:33
        inet 192.168.151.19 netmask 0xffffff00 broadcast 192.168.151.255
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
rl1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=8<VLAN_MTU>
        ether 00:40:f4:eb:5d:dd
        inet 172.16.55.1 netmask 0xffffff00 broadcast 172.16.55.255
        media: Ethernet autoselect (none)
        status: no carrier
plip0: flags=108810<POINTOPOINT,SIMPLEX,MULTICAST,NEEDSGIANT> metric 0 mtu 1500
pfsync0: flags=0<> metric 0 mtu 1460
        syncpeer: 224.0.0.240 maxupd: 128
pflog0: flags=141<UP,RUNNING,PROMISC> metric 0 mtu 33204
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6
        inet6 ::1 prefixlen 128
        inet 127.0.0.1 netmask 0xff000000
 
FBSD# echo "block quick all " | pfctl -f -
FBSD# pfctl -sa -v
FILTER RULES:
block drop quick all
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 1504 ]
No queue in use

INFO:
Status: Disabled                              Debug: Urgent

Hostid:   0x2df50bf7
Checksum: 0xf67edfbb4f38672f79691ea6b22dd653

State Table                          Total             Rate
  current entries                        0
  searches                               0            0.0/s
  inserts                                0            0.0/s
  removals                               0            0.0/s
Source Tracking Table
  current entries                        0
  searches                               0            0.0/s
  inserts                                0            0.0/s
  removals                               0            0.0/s
Counters
  match                                  0            0.0/s
  bad-offset                             0            0.0/s
  fragment                               0            0.0/s
  short                                  0            0.0/s
  normalize                              0            0.0/s
  memory                                 0            0.0/s
  bad-timestamp                          0            0.0/s
  congestion                             0            0.0/s
  ip-option                              0            0.0/s
  proto-cksum                            0            0.0/s
  state-mismatch                         0            0.0/s
  state-insert                           0            0.0/s
  state-limit                            0            0.0/s
  src-limit                              0            0.0/s
  synproxy                               0            0.0/s
Limit Counters
  max states per rule                    0            0.0/s
  max-src-states                         0            0.0/s
  max-src-nodes                          0            0.0/s
  max-src-conn                           0            0.0/s
  max-src-conn-rate                      0            0.0/s
  overload table insertion               0            0.0/s
  overload flush states                  0            0.0/s

TIMEOUTS:
tcp.first                   120s
tcp.opening                  30s
tcp.established           86400s
tcp.closing                 900s
tcp.finwait                  45s
tcp.closed                   90s
tcp.tsdiff                   30s
udp.first                    60s
udp.single                   30s
udp.multiple                 60s
icmp.first                   20s
icmp.error                   10s
other.first                  60s
other.single                 30s
other.multiple               60s
frag                         30s
interval                     10s
adaptive.start             6000 states
adaptive.end              12000 states
src.track                     0s

LIMITS:
states        hard limit    10000
src-nodes     hard limit    10000
frags         hard limit     5000
tables        hard limit     1000
table-entries hard limit   200000

OS FINGERPRINTS:
696 fingerprints loaded
FBSD# who am i
root             ttyp0    Dec 29 22:43 (192.168.151.34)
FBSD#

                                     Regards
                                    Faysal Banna
>How-To-Repeat:

>Fix:


>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->analyzed 
State-Changed-By: csjp 
State-Changed-When: Sat Dec 29 19:27:42 UTC 2007 
State-Changed-Why:  
I've sent a follow up to the submitted. It looks like the 
firewall isnt enabled. 


Responsible-Changed-From-To: freebsd-bugs->csjp 
Responsible-Changed-By: csjp 
Responsible-Changed-When: Sat Dec 29 19:27:42 UTC 2007 
Responsible-Changed-Why:  
I've sent a follow up to the submitted. It looks like the 
firewall isnt enabled. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=119139 
State-Changed-From-To: analyzed->closed 
State-Changed-By: remko 
State-Changed-When: Sat Dec 29 19:30:47 UTC 2007 
State-Changed-Why:  
Please read the feedback you got: Status: Disabled, you can enable pf 
with 'pfctl -e', please bear in mind that you will loose all 
connectivity to that machine then (Because you inserted a block all); if 
you need more help please visit the freebsd-pf mailinglists 
(http://lists.freebsd.org/mailman/listinfo/freebsd-pf). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=119139 

From: "Christian S.J. Peron" <csjp@FreeBSD.org>
To: Faysal Banna <degreane@gmail.com>
Cc: freebsd-gnats-submit@FreeBSD.org
Subject: Re: misc/119139: FreeBSD router PF nating internal to external network not working
Date: Sat, 29 Dec 2007 13:25:51 -0600

 On Sat, Dec 29, 2007 at 07:08:52PM +0000, Faysal Banna wrote:
 [..]
 > 
 > INFO:
 > Status: Disabled                              Debug: Urgent
 > 
           ^^^^^^^^ Looks like it's not even enabled.
 
 Try enabling the firewall and see if the problem goes away :)
>Unformatted:
