Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 5 Feb 2010 22:48:12 +0000 (UTC)
From:      Ludovico Cavedon <ludovico.cavedon@gmail.com>
To:        freebsd-questions@freebsd.org
Subject:   allow-opts on a nat pass rule
Message-ID:  <loom.20100205T234657-208@post.gmane.org>

next in thread | raw e-mail | index | archive | help
Hi all,
I have a freebsd 7.2-RELEASE-p2 firewall with a configuration like this:

#### BEGIN ###
ext_if4="em0"     # public interface
int_if="em1"      # private interface, to be source NATted

nat pass log (to pflog2) on $ext_if4 inet from $int_if:network to ! ($ext_if4)
-> ($ext_if4)
block drop log    # logs to pflog0
pass quick log (to pflog1) on $int_if allow-opts      # private network
pass out from ($ext_if4) allow-opts modulate state    # public network
#### END ###

If I send a packet to a public host from an private one, everything is fine, the
packet arrives at the destination, and is logged by pflog1 and pflog2.

If this packet, however, contains an IP option (e.g. NOP), the packets if
blocked by the firewall, and logged by pflog1 and pflog0.

Looks like it is not possible to specify "allow-opts" for the "nat pass" rules.
Is there any way I can get packets with IP options to be NATted?

Thank you in advance,
Ludovico






Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?loom.20100205T234657-208>