E.g. on NetBSD/XEN, make sure you got those enabled in the kernel,
pseudo-device pf # PF packet filter pseudo-device pflog # PF log if pseudo-device pfsync # PF sync if
Enable IP forwarding,
sysctl net.inet.ip.forwarding sysctl -w net.inet.ip.forwarding=1 echo net.inet.ip.forwarding=1 >> /etc/sysctl.conf
Configure the rules e.g. NAT and logging everything on the external interface,
mv -i /etc/pf.conf /etc/pf.conf.dist vi /etc/pf.conf ext_if="xennet0" int_if="xennet1" nat on $ext_if from $int_if:network -> $ext_if #rdr on $ext_if proto tcp from any to any port XX -> INTERNAL_IP pass in log on xennet0 #pass in log all on xennet0
Enable and run,
grep pf /etc/defaults/rc.conf cat >> /etc/rc.conf <<-EOF pf=yes pflogd=yes EOF ifconfig pflog0 /etc/rc.d/pflogd restart /etc/rc.d/pf restart
Watch live,
tcpdump -n -e -ttt -i pflog0
or review past logs,
tcpdump -n -e -ttt -r /var/log/pflog
Refs. syntax
Refs. ICMP
Refs. NAT
Refs. logging
cat > log <<EOF tail -F /var/log/messages EOF cat > logpf <<EOF tcpdump -n -e -ttt -i pflog0 EOF chmod +x log logpf