[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NAT - PF order

On Thursday, Sep 11, 2003, at 15:52 US/Pacific, Shadi Abou-Zahra wrote:

hopefully this is not a millionth repetition of a subject but after reading the PF FAQ and some of the mail archives i am still confused about how bridging, NATing and PFing all work together. the exact path of the packets through the NICs is still a little unclear to me. maybe this should be included somewhere in the FAQ?

This flow chart may help: http://mniam.net/pf/pf.png
The spot marked KERNEL is either IP routing or bridging, depending on which you're doing.

anyway, having said that, here is the scenario:
(all the following NICs are in a single bridge)
NIC_A: IP, connected to the big bad internet
NIC_B: IP, internal network (desktops etc)
NIC_C: IP, internal servers (development and staging area)
NIC_D: NO IP, DMZ 1 (a collection of operational www and mail servers)
NIC_E: NO IP, DMZ 2 (a collection of operational DB and backend servers)

With this setup, why are you bridging and not routing?

using NAT on NIC_A i map all the outbound connections from the internal network ( to the IP of the bridge/firewall (

using BINAT on NIC_A i map further IP aliases (eg. to internal development or staging servers (eg.

then there are a bunch of PF rules (on each interface) to control the access of each of these segments to each other.

here are my questions:
1. NATing always happens before PF rules are applied. correct?


2. if all the NATing happens on NIC_A, why do i get such entries in my state table when an internal desktop tries to reach a server in DMZ 1: -> ->
(ie. the private address is translated to the external bridge IP!)

What is the default gateway for the internal desktop? Where does this gateway reside?

3. my understanding is that a packet from an internal desktop (ie. to an internal server (ie. would PASS IN ON NIC_B and then PASS OUT ON NIC_C but it doesn't seem to behave that way. did i get something wrong?

You could verify this by adding "log-all" to all of your pass rules, and using tcpdump (with -e) on pflog0. It will show you where pf is seeing the packets.

4. equally, a server on DMZ 1 trying to reach a service on DMZ 2 should PASS IN ON NIC_D and PASS OUT ON NIC_E but the packets seem to be going through NIC_A as well. does this make any sense or do i have a terribly bad setup?

IP routing can't be ignored. I would guess it is what's causing the behavior you're seeing.

5. finally, is there any way to reach an internal server (ie. through a "real" IP from both outside (NIC_A) and inside (NIC_B)?