[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: NAT - PF order
On Thursday, Sep 11, 2003, at 15:52 US/Pacific, Shadi Abou-Zahra wrote:
hopefully this is not a millionth repetition of a subject but after
reading the PF FAQ and some of the mail archives i am still confused
about how bridging, NATing and PFing all work together. the exact path
of the packets through the NICs is still a little unclear to me. maybe
this should be included somewhere in the FAQ?
This flow chart may help: http://mniam.net/pf/pf.png
The spot marked KERNEL is either IP routing or bridging, depending on
which you're doing.
anyway, having said that, here is the scenario:
(all the following NICs are in a single bridge)
NIC_A: IP 22.214.171.124, connected to the big bad internet
NIC_B: IP 192.168.0.1, internal network (desktops etc)
NIC_C: IP 10.0.0.1, internal servers (development and staging area)
NIC_D: NO IP, DMZ 1 (a collection of operational www and mail servers)
NIC_E: NO IP, DMZ 2 (a collection of operational DB and backend
With this setup, why are you bridging and not routing?
using NAT on NIC_A i map all the outbound connections from the
internal network (192.168.0.0/24) to the IP of the bridge/firewall
using BINAT on NIC_A i map further IP aliases (eg. 126.96.36.199) to
internal development or staging servers (eg. 10.0.0.2).
then there are a bunch of PF rules (on each interface) to control the
access of each of these segments to each other.
here are my questions:
1. NATing always happens before PF rules are applied. correct?
2. if all the NATing happens on NIC_A, why do i get such entries in my
state table when an internal desktop tries to reach a server in DMZ 1:
192.168.0.13 -> 188.8.131.52 -> 184.108.40.206
(ie. the private address is translated to the external bridge IP!)
What is the default gateway for the internal desktop? Where does this
3. my understanding is that a packet from an internal desktop (ie.
192.168.0.13) to an internal server (ie. 10.0.0.13) would PASS IN ON
NIC_B and then PASS OUT ON NIC_C but it doesn't seem to behave that
way. did i get something wrong?
You could verify this by adding "log-all" to all of your pass rules,
and using tcpdump (with -e) on pflog0. It will show you where pf is
seeing the packets.
4. equally, a server on DMZ 1 trying to reach a service on DMZ 2
should PASS IN ON NIC_D and PASS OUT ON NIC_E but the packets seem to
be going through NIC_A as well. does this make any sense or do i have
a terribly bad setup?
IP routing can't be ignored. I would guess it is what's causing the
behavior you're seeing.
5. finally, is there any way to reach an internal server (ie.
10.0.0.13) through a "real" IP from both outside (NIC_A) and inside