[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pf default deny problem



Daniel,
Thanks for the clarification, it makes sense now, I think.
If I understand correctly, nat/rdr/binat are translated first, then the 
filter rules below are applied _to_ the already translated datagrams.  
I've applied this understanding to a new ruleset, and everything is 
working as I'd hoped.
One question remains, even without a "pass out on $ext_if all" rule at 
the bottom of the ruleset, connections from the NAT'd internal network 
(rfc1918) still seem to work fine.  The exception to this is 
connections established from the gateway box itself.. without the pass 
out rule, the gateway box itself can't seem to do _anything_ while 
boxes on the internal LAN's can - I don't quite understand why, given 
the gateway has interfaces on both these LAN's anyway.
Clarification of this would be most appreciated, and would go a long 
way to my understanding of how pf does what it does.
Thanks for your attention and explanation.. very appreciated!!!
//kremlyn
Daniel Hartmeier wrote:
No, packets translated by nat/rdr/binat will not automatically pass and
create state. The packet is first translated, then the filter rules are
evaluated. If they pass the packet, a state is automatically created. If
they block it, it's blocked and no state is created. The wording
'implicitely create state' might need some rework, the point it's trying
to make is that the pass rule will create state for translated packets
even if it doesn't have the 'keep state' option. But you still need that
pass rule. And it needs to match the packet _after_ translation.
---------------------------------------------------------------------
NEW to mBox, receive faxes to any email address!
Find out more http://www.mbox.com.au/fax