[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

filtering + NAT (Newbie)

Hello !
I am trying to understand how NAT affects packet filtering and am not
sure if I am on the right track. My understanding is this;
$ext_if = "tun0"
$int_if = "fxp1"
nat on $ext_if from $int_if:network port > 1023 to any -> ($ext_if)
block all
pass quick on lo0
pass in quick on $int_if
# allow my caching/forwardind dns out
pass out on $ext_if inet proto tcp from $ext_if to any port 53 keep
state flags S/SA
# allow http (port 80) out from internal network
pass out on $ext_if from $int_if:network to any port 80 keep state flags S/SA
# eof
from my understand is that DNS packets coming my firewall will pass
out creating a connection then create a state in pf's state table -
probably not evaluating the rule again, unless the packets destination
has changed?
as for the second pass rule, I kinda expect it to pass any packets
destined to a port 80 (http in this case) on any host for the outside
world, translating the packets with a source IP of my internal network
to that of a IP of my external interfaces IP
I draw diagram of my network:
[internet] <--> [adsl modem] <--> [openbsd/pf firewall/gateway] <-->
[internal network]
my internet is just standard ADSL via pppoa
adsl modem is in bridge mode
openbsd connect to internet via ppp/pppoe, also has named running as
caching forwarder
I can connect no problem with pf disabled
thank you