From owner-freebsd-pf@FreeBSD.ORG Thu May 8 08:43:35 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2DF1B1065671 for ; Thu, 8 May 2008 08:43:35 +0000 (UTC) (envelope-from elliott@c7.ca) Received: from mail.c7.ca (mail.c7.ca [66.207.198.232]) by mx1.freebsd.org (Postfix) with ESMTP id BB6B68FC1F for ; Thu, 8 May 2008 08:43:34 +0000 (UTC) (envelope-from elliott@c7.ca) Received: (qmail 34615 invoked by uid 89); 8 May 2008 08:43:33 -0000 Received: by simscan 1.2.0 ppid: 34610, pid: 34612, t: 0.1637s scanners: clamav: 0.90.1/m:43 Received: from unknown (HELO ?66.207.210.10?) (elliott@c7.ca@66.207.210.10) by 10.1.1.32 with ESMTPA; 8 May 2008 08:43:33 -0000 From: Elliott Perrin To: freebsd-pf@freebsd.org In-Reply-To: <48222786.3050400@samoylyk.sumy.ua> References: <48222786.3050400@samoylyk.sumy.ua> Content-Type: text/plain; charset=UTF-8 Date: Thu, 08 May 2008 04:43:02 -0400 Message-Id: <1210236182.5607.138.camel@kensho.c7.ca> Mime-Version: 1.0 X-Mailer: Evolution 2.22.0 FreeBSD GNOME Team Port Content-Transfer-Encoding: 8bit Subject: Re: iptables rule in pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: elliott@c7.ca List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 May 2008 08:43:35 -0000 On Thu, 2008-05-08 at 01:04 +0300, Oleksandr Samoylyk wrote: > Dear Community, > > I want to move some of our firewalls from Linux/iptables to FreeBSD/pf. > > After reading man pf.conf for a couple of minutes I couldn't find the > realization of such iptables rule in pf: > > iptables -t nat -A PREROUTING -i ethX -d ! my.smtp.server -p tcp --dport > 25 -j DROP > iptables -t nat -A PREROUTING -i ethX -p tcp --dport 2525 -j DNAT > --to-destination :25 > > How it can be rewriting in pf.conf? > > Thanks! > Its been a while since I worked with iptables but The first rule  iptables -t nat -A PREROUTING -i ethX -d ! my.smtp.server -p tcp --dport 25 -j DROP says all packets destined for port 25 for any address other than my.smtp.server, jump to the builtin DROP table/chain. The second rule iptables -t nat -A PREROUTING -i ethX -p tcp --dport 2525 -j DNAT --to-destination :25 I would think builds on the first (just like in pf order of rule processing is very important) and says anything with a destination of port 2525, jump to the DNAT table/chain and switch the destination port to port 25, leaving the destination IP address untouched. Essentially you are just doing PAT there. Hard to know exactly what you are trying to do without network topography. Is this on a three legged firewall for LAN to DMZ/Internet connections or is this intended for inbound connections to your SMTP servers? The rules in pf to serve either purpose would be different. Also what does your DNAT table look like? That second rule causes packets to rewrite their destination port, but what then happens in the DNAT table? Cheers, ~e