From owner-freebsd-pf@FreeBSD.ORG Fri May 9 02:16:16 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 694C51065676 for ; Fri, 9 May 2008 02:16:16 +0000 (UTC) (envelope-from elliott@c7.ca) Received: from mail.c7.ca (mail.c7.ca [66.207.198.232]) by mx1.freebsd.org (Postfix) with ESMTP id 2C1138FC0A for ; Fri, 9 May 2008 02:16:15 +0000 (UTC) (envelope-from elliott@c7.ca) Received: (qmail 57672 invoked by uid 89); 9 May 2008 02:16:15 -0000 Received: by simscan 1.2.0 ppid: 57665, pid: 57668, t: 0.3312s scanners: clamav: 0.90.1/m:43 Received: from unknown (HELO ?66.207.210.10?) (elliott@c7.ca@66.207.210.10) by 10.1.1.32 with ESMTPA; 9 May 2008 02:16:14 -0000 From: Elliott Perrin To: Daniel Roethlisberger In-Reply-To: <20080508113524.GA7168@hobbes.ustdmz.roe.ch> References: <48222786.3050400@samoylyk.sumy.ua> <20080508085234.2cac29ca@twoflower.in.publishing.hu> <4822B459.6090307@samoylyk.sumy.ua> <20080508101252.4d25b9eb@twoflower.in.publishing.hu> <4822BB8A.8030507@samoylyk.sumy.ua> <1210237122.5607.149.camel@kensho.c7.ca> <20080508113524.GA7168@hobbes.ustdmz.roe.ch> Content-Type: text/plain; charset=UTF-8 Date: Thu, 08 May 2008 22:15:43 -0400 Message-Id: <1210299343.28559.31.camel@kensho.c7.ca> Mime-Version: 1.0 X-Mailer: Evolution 2.22.0 FreeBSD GNOME Team Port Content-Transfer-Encoding: 8bit Cc: freebsd-pf@freebsd.org Subject: Re: iptables rule in pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: elliott@c7.ca List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 May 2008 02:16:16 -0000 On Thu, 2008-05-08 at 13:35 +0200, Daniel Roethlisberger wrote: > Elliott Perrin 2008-05-08: > > On Thu, 2008-05-08 at 11:36 +0300, Oleksandr Samoylyk wrote: > > > CZUCZY Gergely wrote: > > > > On Thu, 08 May 2008 11:05:45 +0300 Oleksandr Samoylyk > > > > wrote: > > > >> CZUCZY Gergely wrote: > > > >>> On Thu, 08 May 2008 01:04:54 +0300 Oleksandr Samoylyk > > > >>> wrote: > > > >>>> Dear Community, > > > >>>> > > > >>>> I want to move some of our firewalls from Linux/iptables to > > > >>>> FreeBSD/pf. > > > >>>> > > > >>>> After reading man pf.conf for a couple of minutes I couldn't > > > >>>> find the realization of such iptables rule in pf: > > > >>>> > > > >>>> iptables -t nat -A PREROUTING -i ethX -d ! my.smtp.server -p > > > >>>> tcp --dport 25 -j DROP > > > >>> block in on $interface proto tcp from any to ! my.smtp.server > > > >>> port 25 > > > >>> > > > >>>> iptables -t nat -A PREROUTING -i ethX -p tcp --dport 2525 -j > > > >>>> DNAT --to-destination :25 > > > >>> rdr on $interface proto tcp from any to port 2525 -> > > > >>> port 25 > > > >> I meant _any_ destination with 25 port. > > > >> > > > >> That iptables rule worked for any destination. > > > > You cannot rewrite a packet's destination address to _any_ > > > > destination. > > > > > > > > It's like you cannot submit a package at the post office with the > > > > destination address "any". It's just meaningless. > > > > > > However it works with iptables. :) > > > > > > What can I do in my situation in order to gain the same > > > functionality by means of pf or other additional daemons? > > > > It doesn't just "work" in iptables. All you are doing is PAT with that > > rule, rewriting destination ports. What does your DNAT table look like > > where packets matching this rule then jump to? [...] > > Your analysis of the two provided netfilter rules is wrong. DNAT is a > built-in pseudo-chain which does the actual destination address/port > translation, in this case it rewrites the destination port to 25 and > leaves the destination address untouched. > > Just to clear up some of the terms used with netfilter: you don't jump > to tables, you jump to chains. Tables in netfilter are "nat", "filter" > and "mangle"; like parallel worlds with their own set of chains, each > table having a distinct purpose (packet filtering, address/port > translations, and other packet mangling/tagging). > I was not sure if DNAT was a built in or not. As far as the difference between tables / chains, thanks for clearing that up. I have not firewalled with ipchains/iptables for quite some time so I am not completely up to speed on the semantics surrounding the software's current incarnation. If having used incorrect terminology resulted in difficulties I apologize. However, from a processing perspective my analysis is correct in concept. The second rule does a port address translation switching the destination port from port 2525 to port 25 on packets that match the rule. My analysis of both rules was in a previous reply to the posters original email, I have included that analysis again below. Perhaps if it too is incorrect from a conceptual perspective you could be so kind as to point out why? "iptables -t nat -A PREROUTING -i ethX -d ! my.smtp.server -p tcp --dport 25 -j DROP says all packets destined for port 25 for any address other than my.smtp.server, jump to the builtin DROP table/chain. The second rule iptables -t nat -A PREROUTING -i ethX -p tcp --dport 2525 -j DNAT --to-destination :25 I would think builds on the first (just like in pf order of rule processing is very important) and says anything with a destination of port 2525, jump to the DNAT table/chain and switch the destination port to port 25, leaving the destination IP address untouched. Essentially you are just doing PAT there. Hard to know exactly what you are trying to do without network topography. Is this on a three legged firewall for LAN to DMZ/Internet connections or is this intended for inbound connections to your SMTP servers? The rules in pf to serve either purpose would be different."