Setting up PF

E.g. on NetBSD/XEN, make sure you got those enabled in the kernel,

pseudo-device  pf                      # PF packet filter
pseudo-device  pflog                   # PF log if
pseudo-device  pfsync                  # PF sync if

Enable IP forwarding,

sysctl net.inet.ip.forwarding
sysctl -w net.inet.ip.forwarding=1
echo net.inet.ip.forwarding=1 >> /etc/sysctl.conf

Configure the rules e.g. NAT and logging everything on the external interface,

vi /etc/pf.conf


nat on $ext_if from $int_if:network -> $ext_if
#rdr on $ext_if proto tcp from any to any port XX -> INTERNAL_IP

pass in log on xennet0
#pass in log all on xennet0

Enable and run,

grep pf /etc/defaults/rc.conf
cat >> /etc/rc.conf <<-EOF
ifconfig pflog0
/etc/rc.d/pflogd restart
/etc/rc.d/pf restart

Watch live,

tcpdump -n -e -ttt -i pflog0

or review past logs,

tcpdump -n -e -ttt -r /var/log/pflog

Refs. syntax

Refs. ICMP

Refs. NAT

Refs. logging