Date: Mon, 17 Aug 2015 23:33:54 +0300 From: =?UTF-8?B?0JDQu9C10LrRgdCw0L3QtNGA?= <it.nvsk.cbs@yandex.ru> To: freebsd-pf@freebsd.org Subject: packet processing figure out Message-ID: <55D24532.9030703@yandex.ru>
next in thread | raw e-mail | index | archive | help
Hello everyone. I've been using pf for quite a while with a pretty simple ruleset. Now I have a new network with lots of services and vpns, so i have to make a very good firewall. I looked up in man pf.conf and found that nat is evaluated before rules. I said ok, but than I found this http://www.benzedrine.ch/pf_flow.png and I got really confused. For example simple gateway with ext_if and int_if: 1. packet comes from inside to internet - i have to allow it to *pass in* on int_if - i have to allow *nat* on ext_if - i have to allow it to *pass out* on ext_if (and here i must take in consideration that src_ip was altered) Do i really have to write 3 rules to make nat working? (question 1) If i use nat pass statement how many rules i can omit? (question 2) 2. packet comes from internet to forwarded port - i have to allow *rdr on ext_if* - i have to allow *pass in* on ext_if (take in consideration dst_ip altering) - i have to allow *pass out* on int_if (dst_ip altered already) Again 3 rules? (question 3) If i use *rdr pass on* statement, how many rules can i omit?(question 4) If I'm right with all above, how can i differentiate traffic natted from internal network with one sourced by firewall itself if it has same source ip address?(question 5) And by the way is there any good flowchart of often used traffic going through pf firewall(with nat used along the way) so i can realy get a feeling about what is going under the hood? Thank you. P.S: 10.2-RELEASE Alex
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?55D24532.9030703>