From owner-freebsd-pf@FreeBSD.ORG Sun Mar 26 02:58:28 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4ECAF16A424 for ; Sun, 26 Mar 2006 02:58:28 +0000 (UTC) (envelope-from jos@catnook.com) Received: from 209-204-181-78.dsl.static.sonic.net (209-204-181-78.dsl.static.sonic.net [209.204.181.78]) by mx1.FreeBSD.org (Postfix) with SMTP id 9F4DD43D46 for ; Sun, 26 Mar 2006 02:58:27 +0000 (GMT) (envelope-from jos@catnook.com) Received: (qmail 83032 invoked by uid 1000); 26 Mar 2006 02:58:49 -0000 Date: Sat, 25 Mar 2006 18:58:27 -0800 From: Jos Backus To: freebsd-pf@freebsd.org Message-ID: <20060326025849.GA82791@lizzy.catnook.local> Mail-Followup-To: freebsd-pf@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.11 X-Mailman-Approved-At: Sun, 26 Mar 2006 03:00:44 +0000 Subject: How do IPFilter's `map' and 'rdr' translate to pf? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: jos@catnook.com List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 26 Mar 2006 02:58:28 -0000 Hi, I'm running into some trouble with IPFilter and am seizing the opportunity to move an existing IPFilter setup on 6-stable to pf. pf seems fairly compatible with IPFilter on the filtering side; so far the only difference I have found is that pf doesn't support `keep frags' and a scrub rule needs to be used instead. But the NAT definition syntax difers between the two and I haven't been able to find a migration guide (apparently it's a TODO item). So I am faced with converting the following entries from ipnat.rules. xl0 is int_if, xl1 is ext_if and 1.2.3.x is an external IP address. 1. map xl1 192.168.10.0/24 -> 1.2.3.4/32 proxy port ftp ftp/tcp In pf it looks like this needs to be done using a combination of running ftp-proxy (which I'm assuming is the `old' ftp-proxy) and rules like these: rdr on xl0 proto tcp from 192.168.10.0/24 to any port ftp \ -> 127.0.0.1 port 8021 # Data traffic pass in on xl1 inet proto tcp from port ftp-data to xl1 \ user proxy flags S/SA keep state Then there are these rules which I am not sure what to do about: 2. map xl1 192.168.10.0/24 -> 1.2.3.4/32 proxy port 500 ipsec/udp ? 3. map xl1 192.168.10.0/24 -> 1.2.3.4/32 proxy port 10000 ipsec/tcp ? 4. map xl1 192.168.10.0/24 -> 1.2.3.4/32 portmap tcp/udp 1025:65000 ? 5. map xl1 192.168.10.0/24 -> 1.2.3.4/32 ? 6. rdr xl1 from 192.168.2.0/24 to 1.2.3.5/32 port = 3000 -> \ 192.168.1.1 port 3000 Equivalent to rdr on xl1 from 192.168.2.0/24 to 1.2.3.5/32 port = 3000 -> \ 192.168.1.1 port 3000 in pf? 7. rdr xl1 1.2.3.6/32 port 6502 -> 192.168.1.101 port 6502 Equivalent to rdr on xl1 from 1.2.3.6/32 port 6502 to any -> 192.168.1.101 port 6502 in pf? I'm pretty green when it comes to firewalls and NAT. Your help is appreciated! -- Jos Backus jos at catnook.com