[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PF RDR/NAT Questions.



F Walls wrote:
> I am trying to port forward a service that accepts UDP traffic on ports 6666 to 7000 and also 29200. However, there is a problem in my rule-set. I think that the problem exists in my filter/lack of filter rules. Can anybody help me with this, and perhaps show my how you would go about implmenting these rules? I am just starting out with Pf so any help at all would be appreciated.

As far as the pass rules for the rdr rules go, how do i visualize these?


For example should I picture sitting inside the firewall, and accepting traffic into the firewall on both interfaces, and out of the firewall on both interfaces? Or is pass in on the internal interface passing traffic from the firewall into the internal network?

Think of each interface as a doorway. Packets pass in and out of each doorway independantly of other doorways. For packets to reach your internal server that come from the Internet, the packets pass "in" the external door ($ext_if) and "out" the internal door "$int_if". Packets in the reverse direction go in $int_if and out $ext_if.


Hopefully this simple (and somewhat silly :) analogy helps you visualize things.

Now throw stateful tracking on top of that. Stateful tracking is like giving a packet a key that will open the door. When a packet tries to go either in OR out on an interface, the state entry for that packet will allow it to pass. And actually, the default behavior is that the state entry will allow the packet to pass on *any* interface that it is moving through.

I hope this helps you.

All this information is also spread about in the documentation.

State tracking options:
http://www.openbsd.org/faq/pf/options.html#state-policy
State tracking:
http://www.openbsd.org/faq/pf/filter.html#state
Using rdr and filtering:
http://www.openbsd.org/faq/pf/rdr.html#filter

"man pf.conf"




.joel