Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 17 Aug 2015 23:33:54 +0300
From:      =?UTF-8?B?0JDQu9C10LrRgdCw0L3QtNGA?= <it.nvsk.cbs@yandex.ru>
To:        freebsd-pf@freebsd.org
Subject:   packet processing figure out
Message-ID:  <55D24532.9030703@yandex.ru>

next in thread | raw e-mail | index | archive | help
Hello everyone.
I've been using pf for quite a while with a pretty simple ruleset.
Now I have a new network with lots of services and vpns, so i have to 
make a very good firewall.
I looked up in man pf.conf and found that nat is evaluated before rules.
I said ok, but than I found this http://www.benzedrine.ch/pf_flow.png 
and I got really confused.
For example simple gateway with ext_if and int_if:
1. packet comes from inside to internet
  - i have to allow it to *pass in* on int_if
  - i have to allow *nat* on ext_if
  - i have to allow it to *pass out* on ext_if (and here i must take in 
consideration that src_ip was altered)
  Do i really have to write 3 rules to make nat working? (question 1)
  If i use nat pass statement how many rules i can omit? (question 2)
2. packet comes from internet to forwarded port
  - i have to allow *rdr on ext_if*
  - i have to allow *pass in* on ext_if (take in consideration dst_ip 
altering)
  - i have to allow *pass out* on int_if (dst_ip altered already)
  Again 3 rules? (question 3)
  If i use *rdr pass on* statement, how many rules can i omit?(question 4)

If I'm right with all above, how can i differentiate traffic natted from 
internal network with one sourced by firewall itself if it has same 
source ip address?(question 5)

And by the way is there any good flowchart of often used traffic going 
through pf firewall(with nat used along the way) so i can realy get a 
feeling about what is going under the hood?

Thank you.
P.S: 10.2-RELEASE

Alex




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?55D24532.9030703>