Date: Fri, 4 Dec 2009 14:56:50 -0800 From: George Davidovich <freebsd@optimis.net> To: freebsd-questions@freebsd.org Subject: Re: PF binat rule issue - feature or bug? Message-ID: <20091204225650.GA18745@marvin.optimis.net> In-Reply-To: <4B193BB0.5000806@scls.lib.wi.us> References: <4B193BB0.5000806@scls.lib.wi.us>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Dec 04, 2009 at 10:41:20AM -0600, Greg Barniskis wrote:
> Using 7.2-RELEASE-p4 i386 with GENERIC kernel, I've found (the hard way)
> that if I have a pf.conf rule like
>
> nat on $ext_if proto { tcp udp icmp } from $my_subnet \
> to any -> some.public.ip.num
>
> then pfctl will perform the expected expansion of the listed protocols
> into three separate NAT rules.
>
> However, if I have a rule like
>
> binat on $ext_if proto { tcp udp icmp } from $server_dmz_ip \
> to any -> $server_public_ip
>
> then I will /only/ get one NAT rule, for TCP.
>
> Then things like NTP, DNS and ping will fail, but the filtering rules
> that permit such traffic will increment their byte, packet and state
> counters like PF is working just fine (and I suppose in some sense that
> the filtering part is). But only if I explicitly declare in pf.conf a
> separate binat rule for each desired protocol, instead of listing them,
> will things work as needed.
>
> Feature or bug? If the former, it is not well documented that I could
> see. I expected that a list of protocols for a binat rule would just
> work, and pfctl certainly didn't mark it as bad syntax. If a bug, is
> this a FreeBSD bug or OpenBSD?
The BNF grammar in pfconf(5) suggests that binat rules don't take a
list. Summarised:
nat-rule = ... "proto" ( proto-name | proto-number | "{" proto-list "}" )
binat-rule = ... proto ( proto-name | proto-number )
--
George
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20091204225650.GA18745>