[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
PF Filter rules & NAT
I have recently ellected to dump my FreeBSD+IPFilter firewall (after dumping OpenBSD+IPFilter) in
favour of going for an OpenBSD+PF firewall platform.
However I have struck upon an idiosynchrosy of PF that I am not sure I like, and can't determine
from documentation whether this is intended or not.
A bit of version information first:
OpenBSD 3.2 - vanilla install (I havn't applied patches yet)
PF version that comes with OpenBSD 3.2 - vanilla.
Previously with IPFilter if a NAT rule existed:
map dc0 192.168.0.0/16 -> 220.127.116.11/32 portmap tcp/udp 20000:60000
You would complement this with a rule like:
pass in on dc1 proto tcp from 192.168.0.0/16 to any port = 80 flags S keep state
(where dc1 is the internal interface)
(The above syntax may not be totally correct)
With the new PF systems a NAT rule such as:
nat on dc0 from 192.168.0.0/16 to any -> 18.104.22.168/32
Requires TWO(2) PF filtering rules like these:
pass in on dc1 proto tcp from 192.168.0.0/16 to any port = 80 flags S/SA keep state
pass out on dc0 proto tcp from 22.214.171.124 to any port = 80 flags S/SA keep state
- Why do I need to put the second rule in place?
- What special/unique thing is PF doing that it can't track things such that the first inbound rule
will take care of the outbound rule from the firewall appliance?
Thanks for the assist.