From owner-freebsd-questions@FreeBSD.ORG Fri Dec 4 22:56:51 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DAAB0106566C for ; Fri, 4 Dec 2009 22:56:51 +0000 (UTC) (envelope-from freebsd@optimis.net) Received: from mail.optimis.net (mail.optimis.net [69.104.191.124]) by mx1.freebsd.org (Postfix) with ESMTP id AEDDE8FC12 for ; Fri, 4 Dec 2009 22:56:51 +0000 (UTC) Received: from marvin.optimis.net (marvin.optimis.net [192.168.1.3]) by mail.optimis.net (8.14.3/8.14.2) with ESMTP id nB4MuoBO091784; Fri, 4 Dec 2009 14:56:50 -0800 (PST) (envelope-from freebsd@optimis.net) Received: from marvin.optimis.net (localhost [127.0.0.1]) by marvin.optimis.net (8.14.3/8.14.3) with ESMTP id nB4MuooM018953; Fri, 4 Dec 2009 14:56:50 -0800 (PST) (envelope-from freebsd@optimis.net) Received: (from george@localhost) by marvin.optimis.net (8.14.3/8.14.3/Submit) id nB4Muo8i018952; Fri, 4 Dec 2009 14:56:50 -0800 (PST) (envelope-from freebsd@optimis.net) Date: Fri, 4 Dec 2009 14:56:50 -0800 From: George Davidovich To: freebsd-questions@freebsd.org Message-ID: <20091204225650.GA18745@marvin.optimis.net> References: <4B193BB0.5000806@scls.lib.wi.us> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4B193BB0.5000806@scls.lib.wi.us> User-Agent: Mutt/1.5.19 (2009-01-05) Subject: Re: PF binat rule issue - feature or bug? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Dec 2009 22:56:51 -0000 On Fri, Dec 04, 2009 at 10:41:20AM -0600, Greg Barniskis wrote: > Using 7.2-RELEASE-p4 i386 with GENERIC kernel, I've found (the hard way) > that if I have a pf.conf rule like > > nat on $ext_if proto { tcp udp icmp } from $my_subnet \ > to any -> some.public.ip.num > > then pfctl will perform the expected expansion of the listed protocols > into three separate NAT rules. > > However, if I have a rule like > > binat on $ext_if proto { tcp udp icmp } from $server_dmz_ip \ > to any -> $server_public_ip > > then I will /only/ get one NAT rule, for TCP. > > Then things like NTP, DNS and ping will fail, but the filtering rules > that permit such traffic will increment their byte, packet and state > counters like PF is working just fine (and I suppose in some sense that > the filtering part is). But only if I explicitly declare in pf.conf a > separate binat rule for each desired protocol, instead of listing them, > will things work as needed. > > Feature or bug? If the former, it is not well documented that I could > see. I expected that a list of protocols for a binat rule would just > work, and pfctl certainly didn't mark it as bad syntax. If a bug, is > this a FreeBSD bug or OpenBSD? The BNF grammar in pfconf(5) suggests that binat rules don't take a list. Summarised: nat-rule = ... "proto" ( proto-name | proto-number | "{" proto-list "}" ) binat-rule = ... proto ( proto-name | proto-number ) -- George