[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: filtering + NAT (Newbie)

On Apr 8, 2005 6:32 AM, Siju George <[email protected]> wrote:
> On Apr 6, 2005 10:22 PM, Kimi Ostro <[email protected]> wrote:
Hi again,
well, actually my NAT rule is correct, as I am only translating
packets coming _from_ my internal network from ports higher then 1023
(un-privilaged ports) not to.
Although I think I know where I have gone wrong, assumed wrongly that
packets were filtered first then translated -- is there a way to
change this behaviour? probably not.
So going by this, my pass rule should read:
pass out on $ext_if from $ext_if to any port 80 keep state flags S/SA
that works, but seems wrong? especially if I go by Jacek Artymiak's
"Building Firewalls with OpenBSD and pf" book, looking at the rules
template on pages 282-283 (NAT + Screened Host/LAN) and then the
ruleset on pages 292-293.
would this seem right:
# connection coming from a client to a webserver + NAT on external interface
packet enters internal interface, with a source ip of port
40960 with a destination ip of port 80, pf NAT rule
changes the packets source IP with pf filters packet
according to the rules, finds a matching pass rule then the Kernel
will route the packet. The packet arrives on  the external interface
from Kernel, pf will filter again finding a matching rule then the
packet is sent to the destination.
Thanks again!