NetBSD-Users archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: npf forwarding <-
On Mon, Nov 19, 2018 at 02:42:50PM +0000, Stephen Borrill wrote:
>
> Note, your ruleset does not work for me until I alter:
> group "internal" on $int_if {
> pass stateful final all apply "log"
> pass all apply "log"
> }
>
> to:
> group "internal" on $int_if {
> pass in final from $int_net to any
> pass stateful out final all
> }
>
> If I don't do that, I get ICMP unreachable like you.
I made your change, so npfctl show tells me:
# filtering: active
# config: loaded
procedure "log"
map iwn0 dynamic any -> 10.111.65.65 pass family inet4 from 10.168.204.0/24 # id="1"
map wm0 dynamic 10.111.65.4 <- any pass family inet4 to 128.232.132.8 # id="2"
group "external" on iwn0 # id="1"
pass stateful out final all apply "log" # id="2"
pass all apply "log" # id="3"
group "internal" on wm0 # id="4"
pass in final family inet4 from 10.168.204.0/24 # id="5"
pass stateful out final all # id="6"
group "local" on lo0 # id="7"
pass all apply "log" # id="8"
group # id="9"
pass all apply "log" # id="a"
and I still get ICMP unreachable...
15:12:47.244501 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
10.168.204.26.65533 > 128.232.132.8.80: Flags [S], cksum 0xba02 (correct), seq 1740294724, win 32768, options [mss 1460,nop,wscale 3,sackOK,TS val 1 ecr 0], length 0
15:12:47.244544 IP (tos 0x0, ttl 255, id 0, offset 0, flags [none], proto ICMP (1), length 56, bad cksum 0 (->e1c)!)
10.168.204.62 > 10.168.204.26: ICMP host 10.111.65.4 unreachable, length 36
IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
10.168.204.26.65533 > 10.111.65.4.36224: [|tcp]
Cheers,
Patrick
Home |
Main Index |
Thread Index |
Old Index