Date: Sun, 22 Nov 2020 19:37:54 +0100 From: "Patrick M. Hausen" <hausen@punkt.de> To: "Saad, Mark" <Mark.Saad@lucera.com> Cc: "freebsd-net@freebsd.org" <freebsd-net@freebsd.org> Subject: Re: PF Question Message-ID: <749A9FE5-0F1C-4829-AC34-EB0C45C30EAA@punkt.de> In-Reply-To: <BL0PR12MB47564448F65D65C5F43F776095FE0@BL0PR12MB4756.namprd12.prod.outlook.com> References: <BL0PR12MB47564448F65D65C5F43F776095FE0@BL0PR12MB4756.namprd12.prod.outlook.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--Apple-Mail=_BCFAD5D2-7B18-4F7F-8256-3D7AF45CB21D Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 Hi! > Am 21.11.2020 um 23:42 schrieb Saad, Mark <Mark.Saad@lucera.com>: > This is sort of an abstract question. When using pf to only preform = nat do I need to have at least one > rule ? Can I omit the boiler plate "scrub rule " ? Other then = allowing fragments and other fun > stuff to get passed would this have any other implications ? Here=E2=80=99s my /etc/pf.conf on my DigitalOcean droplet that I use as a WireGuard endpoint if I need an =E2=80=9EUS IP address=E2=80=9C for = some reason: =E2=80=94=E2=80=94=E2=80=94=E2=80=94=E2=80=94 root@do:~ # cat /etc/pf.conf nat on vtnet0 from 192.168.254.0/24 to any -> 134.209.*.* nat on vtnet0 from 2003:a:****:****::/64 to any -> = 2604:a880:400:d1::****:**** pass all =E2=80=94=E2=80=94=E2=80=94=E2=80=94=E2=80=94 6to6-NAT because of the restrictions of that droplet (cheapest tier). And pf because ipfw could not do 6to6 last I checked - i am way more familiar with ipfw. But I guess that answers your question with a clear yes. Kind regards, Patrick -- punkt.de GmbH Patrick M. Hausen .infrastructure Kaiserallee 13a 76133 Karlsruhe Tel. +49 721 9109500 https://infrastructure.punkt.de info@punkt.de AG Mannheim 108285 Gesch=C3=A4ftsf=C3=BChrer: J=C3=BCrgen Egeling, Daniel Lienert, Fabian = Stein --Apple-Mail=_BCFAD5D2-7B18-4F7F-8256-3D7AF45CB21D Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEgzqrjO/mj9CSsTg2kG8u4u3aiVwFAl+6sAIACgkQkG8u4u3a iVwcWAf/U2AKO47B2yl+Bg3c1esrrF/YfLDAIHaNwm5+1Ah9qHxIWY/fVbtcO8dC Nc16Bxk0jzuFCd9OjGmaB42x9ZfCqv7EPluMMBMKZZpXCQqIbqm4189HLUg71nNz FFUFABMd143dgtKL2SuPTg8sEPeF3UeOoT/RGhw7eGsjN3YJu3OBK4ZLqtDI7bLc tqeHw/QMqTDkKFqV2XuzA6TVNvesoE9jbg8pgbSmwqRCwkIl+A1s5vNyibbAjaJT dTLcMHseUmIQdo03V1bYBWa5J3iPnOoTJqjDbyMXUzYVHuYna/yAGVAoe0r1FffO J8ZVhIxVO/wDB0KvSbH6HARFx1jEfg== =9WS4 -----END PGP SIGNATURE----- --Apple-Mail=_BCFAD5D2-7B18-4F7F-8256-3D7AF45CB21D--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?749A9FE5-0F1C-4829-AC34-EB0C45C30EAA>