Date: Thu, 4 Apr 2019 11:30:04 +0700 From: Victor Sudakov <vas@mpeks.tomsk.su> To: freebsd-net@freebsd.org Subject: Re: need help with ipfw nat to pf nat migration Message-ID: <20190404043004.GA10861@admin.sibptus.ru> In-Reply-To: <391e8839-00ce-0d2d-36e7-616c7d86cc30@viklenko.net> References: <20190401033424.GA95019@admin.sibptus.ru> <75502aa3-0e10-fbba-d56b-5716e91e7b27@akhmatov.ru> <20190402070346.GA15400@admin.sibptus.ru> <391e8839-00ce-0d2d-36e7-616c7d86cc30@viklenko.net>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] Artem Viklenko via freebsd-net wrote: > >>> > >>> I'm trying to migrate some firewall rules from ipfw to pf. As pf does > >>> NAT first and filtering after NAT, I have a problem doing the following: > >>> > >>> 1. All 192.168.0.0/16 addresses should be translated to the real IP of > >>> the external interface. > >>> > >>> 2. A subset of the 192.168.0.0/16, for example 192.168.3.0/24, > >>> should have access only to a limited list of addresses in the Internet, > >>> for example 8.8.8.8 only. > >>> > >>> However, because the "nat" rule has already done its job before > >>> filtering, I cannot "block on $ext_if from 192.168.3.0/24 to any" > >>> because the source has already been translated. > > > You can tag packets on ingress interface and then filter on egress interface > based on this tag: > 1. > pass in quick on $int_if inet proto tcp from $server to any flags S/SA keep state allow-opts tag SERVER 2. > block return-rst out log quick on $mob_if inet proto tcp to any port 25 tagged SERVER You have already passed the packet with "quick" in the first rule, it probably will never hit the second "block" rule? -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN 2:5005/49@fidonet http://vas.tomsk.ru/ [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- iQEcBAEBAgAGBQJcpYhMAAoJEA2k8lmbXsY0x8QH/jTSJZrBT3A8p9TMImdq4q40 rsoUlrnw2IYJ6hXG6Y7wBLvuVieypskq3WjROVw2PhVww8c2rOHmfB/fzQV4VwHl OZrFzUZe79IJAWa2W87Mhsx2vDUKIInOg8jUNpqiuNK+gQXPL2wSjDOEpfBZP3jr e2uijkV7E3nDP8gXetuTGs1dN49bSnjoH5v6sHI+B/1iCnzurn6AKQhDOntoVa04 ZGkhL+PRXyIEFuHHvtUbhEHWBOS3jcrEDH/TO4gGJOCmMTIytvmm/9SNThrhuOaY zCpO86DkJ/7zHSfzqtjJi1lxRKLn6YnoO8OqDDBsRSqi3foaqFvhH6RtJMAXRUs= =kyef -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20190404043004.GA10861>