[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: nat exclusions



On Thu, May 06, 2004 at 02:11:08PM -0400, Phil Sointu wrote:
> i've observed that pf will nat all addresses in a supplied cidr block. 
> for example, if i instruct pf to nat my 24-bit private network ...
> 
> nat on xl0 from 192.168.0.0/24 to any -> xl0
> 
> .. pf will not only nat traffic sourcing from 192.168.0.1 through 
> 192.168.0.254 but also 192.168.0.0 and 192.168.0.255.  i've always 
> considered these the network and network broadcast addresses.  anyway, 
> i'm not really interested in translating/passing any traffic that 
> sources from the network and network broadcast addresses.  my only 
> interest in that kind of traffic would be why it's trying to leave my 
> network in the first place!
You mean .0 and .255 as source addresses. I'd block them on the internal
interface, as you really don't want to pass them to external addresses.
Sounds more straight-forward than preventing nat (and possibly send them
out with untranslated source addresses, unless you block them, too), as
in
  block log quick on $int_if from { 192.168.0.0, 192.168.0.255 } \
	to ! $int_if
That also logs them, so you can investigate when they occur. I'm not
sure the stack would even IP forward them in the first case, the entire
point might be moot ;)
But, yes, :hosts could be useful in some cases, it's probably simple to
support, noted as possible new feature on the to-do list.
Daniel