[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PF Filter rules & NAT

On Mon, Dec 09, 2002 at 10:58:59PM +1100, Benjamin M.A. Robson wrote:
> All,
> I have recently ellected to dump my FreeBSD+IPFilter firewall (after 
> dumping OpenBSD+IPFilter) in favour of going for an OpenBSD+PF firewall 
> platform.
> However I have struck upon an idiosynchrosy of PF that I am not sure I 
> like, and can't determine from documentation whether this is intended or 
> not.
sure it is.
> A bit of version information first:
> 	OpenBSD 3.2 - vanilla install (I havn't applied patches yet)
> 	PF version that comes with OpenBSD 3.2 - vanilla.
> Issue observed:
> 	Previously with IPFilter if a NAT rule existed:
> 		map dc0 -> portmap tcp/udp 
> 		20000:60000
> 	You would complement this with a rule like:
> 		pass in on dc1 proto tcp from to any port = 
> 		80 flags S keep state
> 		(where dc1 is the internal interface)
> 		(The above syntax may not be totally correct)
> 	With the new PF systems a NAT rule such as:
> 		nat on dc0 from to any ->
> 	Requires TWO(2) PF filtering rules like these:
> 		pass in on dc1 proto tcp from to any port = 
> 		80 flags S/SA keep state
> 		pass out on dc0 proto tcp from to any port = 80 
> 		flags S/SA keep state
> Question generated:
> 	- Why do I need to put the second rule in place?
> 	- What special/unique thing is PF doing that it can't track things 
> 	such that the first inbound rule will take care of the outbound rule from 
> the firewall appliance?
it is not wanted. EITHER you filter on both interfaces. then you do not want
to let a state from a foreign interface pass your filter on that interface.
or you only filter on one interface. then you don't need anything on the
second one.
sounds like you want
block in  on dc0 all
block out on dc0 all
[your pass rules here]
no filtering on dc1 at all.
Henning Brauer, BS Web Services, http://bsws.de
[email protected] - [email protected]
Unix is very simple, but it takes a genius to understand the simplicity.
(Dennis Ritchie)