I am setting up a system as an ADSL gateway. ADSL is working fine. PF is not forwarding for some reason.
# ifconfig
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33196
priority: 0
groups: lo
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
inet 127.0.0.1 netmask 0xff000000
fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:a0:c9:84:98:5f
priority: 0
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet6 fe80::2a0:c9ff:fe84:985f%fxp0 prefixlen 64 scopeid 0x1
xl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:06:5b:20:f0:b3
priority: 0
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 10.0.0.2 netmask 0xff000000 broadcast 10.255.255.255
inet6 fe80::206:5bff:fe20:f0b3%xl0 prefixlen 64 scopeid 0x2
enc0: flags=0<>
priority: 0
groups: enc
status: active
pppoe0: flags=8851<UP,POINTOPOINT,RUNNING,SIMPLEX,MULTICAST> mtu 1492
priority: 0
dev: fxp0 state: session
sid: 0x213 PADI retries: 0 PADR retries: 0 time: 00:08:23
sppp: phase network authproto pap authname "johnubis@tpg.com.au"
groups: pppoe egress
status: active
inet6 fe80::2a0:c9ff:fe84:985f%pppoe0 -> prefixlen 64 scopeid 0x5
inet 220.245.128.9 --> 202.7.179.48 netmask 0xffffffff
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33196
priority: 0
groups: pflog
# cat /etc/pf.conf
int_if="xl0"
ext_if="pppoe0"
wan_if="fxp0"
thenetwrk="10.0.0.0/8"
rothbard="10.0.0.10"
baal="10.0.0.2"
smass="10.0.0.1"
etcp_services="{22}"
itcp_services="{22,53}"
icmp_types="echoreq"
ports_rothbard="{17000,17001,17002,17003,17004,17005,2322}"
ports_smass="{17100,17101,17102,17103,17104,17105,2222}"
set block-policy return
set loginterface $ext_if
set skip on lo
set skip on $wan_if
anchor "ftp-proxy/*"
pass in quick on $int_if inet proto tcp to any port ftp \
divert-to 127.0.0.1 port 8021
match out on $ext_if from 10.0.0.0/8 to any nat-to $int_if
pass on $ext_if from 10.0.0.0/8 to any
pass out on $ext_if proto tcp from any to any
pass in on $ext_if proto tcp from any to any port $ports_rothbard rdr-to $rothbard
pass in on $ext_if proto tcp from any to any port $ports_smass rdr-to $smass
antispoof quick for { lo $int_if }
pass in on egress inet proto tcp from any to (egress) \
port $etcp_services
pass in on egress inet proto tcp from any to $baal port $itcp_services
pass in inet proto icmp all icmp-type $icmp_types
# sysctl net.inet.ip.forwarding
net.inet.ip.forwarding=1
I can SSH to the box and access ports I've allowed but packets are not forwarded through.
---------- Post updated at 06:03 PM ---------- Previous update was at 12:12 PM ----------
Nevermind fixed it myself
New pf.conf...
# cat /etc/pf.conf
int_if="xl0"
ext_if="pppoe0"
wan_if="fxp0"
thenetwrk="10.0.0.0/8"
rothbard="10.0.0.10"
baal="10.0.0.2"
smass="10.0.0.1"
etcp_services="{22}"
itcp_services="{22,53}"
icmp_types="echoreq"
ports_rothbard="{17000,17001,17002,17003,17004,17005,2322}"
ports_smass="{17100,17101,17102,17103,17104,17105,2222}"
set block-policy return
set loginterface $ext_if
set skip on lo
set skip on $wan_if
anchor "ftp-proxy/*"
pass in quick on $int_if inet proto tcp to any port ftp \
divert-to 127.0.0.1 port 8021
pass out on $ext_if from $int_if:network to any nat-to ($ext_if)
pass in on $int_if from 10.0.0.0/8 to any
pass out on $int_if from any to any
pass in on $ext_if proto tcp from any to any port $ports_rothbard rdr-to $rothba
rd
pass in on $ext_if proto tcp from any to any port $ports_smass rdr-to $smass
antispoof quick for { lo $int_if }
pass in on $ext_if inet proto tcp from any to (egress) \
port $etcp_services
pass in on $int_if inet proto tcp from any to $baal port $itcp_services
pass in inet proto icmp all icmp-type $icmp_types