[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

PF Filter rules & NAT



All,

I have recently ellected to dump my FreeBSD+IPFilter firewall (after dumping OpenBSD+IPFilter) in favour of going for an OpenBSD+PF firewall platform.

However I have struck upon an idiosynchrosy of PF that I am not sure I like, and can't determine from documentation whether this is intended or not.

A bit of version information first:
	OpenBSD 3.2 - vanilla install (I havn't applied patches yet)
	PF version that comes with OpenBSD 3.2 - vanilla.

Issue observed:
	Previously with IPFilter if a NAT rule existed:
		map dc0 192.168.0.0/16 -> 20.20.20.1/32 portmap tcp/udp 20000:60000
	You would complement this with a rule like:
		pass in on dc1 proto tcp from 192.168.0.0/16 to any port = 80 flags S keep state
		(where dc1 is the internal interface)
		(The above syntax may not be totally correct)

	With the new PF systems a NAT rule such as:
		nat on dc0 from 192.168.0.0/16 to any -> 20.20.20.1/32
	Requires TWO(2) PF filtering rules like these:
		pass in on dc1 proto tcp from 192.168.0.0/16 to any port = 80 flags S/SA keep state
		pass out on dc0 proto tcp from 20.20.20.1 to any port = 80 flags S/SA keep state

Question generated:
- Why do I need to put the second rule in place?
- What special/unique thing is PF doing that it can't track things such that the first inbound rule will take care of the outbound rule from the firewall appliance?


Thanks for the assist.

Regards,
BenR.