Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 25 Mar 2006 18:58:27 -0800
From:      Jos Backus <jos@catnook.com>
To:        freebsd-pf@freebsd.org
Subject:   How do IPFilter's `map' and 'rdr' translate to pf?
Message-ID:  <20060326025849.GA82791@lizzy.catnook.local>
next in thread | raw e-mail | index | archive | help 
	Hi,

I'm running into some trouble with IPFilter and am seizing the opportunity to
move an existing IPFilter setup on 6-stable to pf. pf seems fairly compatible
with IPFilter on the filtering side; so far the only difference I have found
is that pf doesn't support `keep frags' and a scrub rule needs to be used
instead. But the NAT definition syntax difers between the two and I haven't
been able to find a migration guide (apparently it's a TODO item). So I am
faced with converting the following entries from ipnat.rules. xl0 is int_if,
xl1 is ext_if and 1.2.3.x is an external IP address.

1.  map xl1 192.168.10.0/24 -> 1.2.3.4/32 proxy port ftp ftp/tcp

In pf it looks like this needs to be done using a combination of running
ftp-proxy (which I'm assuming is the `old' ftp-proxy) and rules like these:

    rdr on xl0 proto tcp from 192.168.10.0/24 to any port ftp \
	-> 127.0.0.1 port 8021
    # Data traffic
    pass in on xl1 inet proto tcp from port ftp-data to xl1 \
	user proxy flags S/SA keep state

Then there are these rules which I am not sure what to do about:

2.  map xl1 192.168.10.0/24 -> 1.2.3.4/32 proxy port 500 ipsec/udp

?

3.  map xl1 192.168.10.0/24 -> 1.2.3.4/32 proxy port 10000 ipsec/tcp

?

4.  map xl1 192.168.10.0/24 -> 1.2.3.4/32 portmap tcp/udp 1025:65000

?

5.  map xl1 192.168.10.0/24 -> 1.2.3.4/32

?

6.  rdr xl1 from 192.168.2.0/24 to 1.2.3.5/32 port = 3000 -> \
	192.168.1.1 port 3000

Equivalent to

    rdr on xl1 from 192.168.2.0/24 to 1.2.3.5/32 port = 3000 -> \
	192.168.1.1 port 3000

in pf?

7.  rdr xl1 1.2.3.6/32 port 6502 -> 192.168.1.101 port 6502

Equivalent to

    rdr on xl1 from 1.2.3.6/32 port 6502 to any -> 192.168.1.101 port 6502

in pf?

I'm pretty green when it comes to firewalls and NAT. Your help is appreciated!

-- 
Jos Backus
jos at catnook.com

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060326025849.GA82791>