From owner-freebsd-net@freebsd.org  Sun Nov 22 18:38:04 2020
Return-Path: <owner-freebsd-net@freebsd.org>
Delivered-To: freebsd-net@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id DE59F470A56
 for <freebsd-net@mailman.nyi.freebsd.org>;
 Sun, 22 Nov 2020 18:38:04 +0000 (UTC) (envelope-from hausen@punkt.de)
Received: from mail.punkt.de (mail.punkt.de [217.29.41.227])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 4CfJtz62c5z3pNr
 for <freebsd-net@freebsd.org>; Sun, 22 Nov 2020 18:38:03 +0000 (UTC)
 (envelope-from hausen@punkt.de)
Received: from [IPv6:2003:a:d59:3820:a158:15f3:6a4d:3103] (unknown
 [IPv6:2003:a:d59:3820:a158:15f3:6a4d:3103])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by mail.punkt.de (Postfix) with ESMTPSA id E7C73290E6;
 Sun, 22 Nov 2020 19:37:55 +0100 (CET)
From: "Patrick M. Hausen" <hausen@punkt.de>
Message-Id: <749A9FE5-0F1C-4829-AC34-EB0C45C30EAA@punkt.de>
Content-Type: multipart/signed;
 boundary="Apple-Mail=_BCFAD5D2-7B18-4F7F-8256-3D7AF45CB21D";
 protocol="application/pgp-signature"; micalg=pgp-sha256
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.17\))
Subject: Re: PF Question
Date: Sun, 22 Nov 2020 19:37:54 +0100
In-Reply-To: <BL0PR12MB47564448F65D65C5F43F776095FE0@BL0PR12MB4756.namprd12.prod.outlook.com>
Cc: "freebsd-net@freebsd.org" <freebsd-net@freebsd.org>
To: "Saad, Mark" <Mark.Saad@lucera.com>
References: <BL0PR12MB47564448F65D65C5F43F776095FE0@BL0PR12MB4756.namprd12.prod.outlook.com>
X-Mailer: Apple Mail (2.3445.104.17)
X-Rspamd-Queue-Id: 4CfJtz62c5z3pNr
X-Spamd-Bar: ----
Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none;
 spf=pass (mx1.freebsd.org: domain of hausen@punkt.de designates 217.29.41.227
 as permitted sender) smtp.mailfrom=hausen@punkt.de
X-Spamd-Result: default: False [-4.90 / 15.00]; TO_DN_EQ_ADDR_SOME(0.00)[];
 RCVD_VIA_SMTP_AUTH(0.00)[]; TO_DN_SOME(0.00)[];
 MV_CASE(0.50)[]; R_SPF_ALLOW(-0.20)[+ip4:217.29.32.0/20];
 HAS_ATTACHMENT(0.00)[]; NEURAL_HAM_SHORT(-1.00)[-1.000];
 RCPT_COUNT_TWO(0.00)[2]; SIGNED_PGP(-2.00)[];
 FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~];
 RBL_DBL_DONT_QUERY_IPS(0.00)[217.29.41.227:from];
 ASN(0.00)[asn:16188, ipnet:217.29.32.0/20, country:DE];
 MID_RHS_MATCH_FROM(0.00)[]; ARC_NA(0.00)[];
 NEURAL_HAM_MEDIUM(-1.00)[-1.000]; FROM_HAS_DN(0.00)[];
 NEURAL_HAM_LONG(-1.00)[-1.000];
 MIME_GOOD(-0.20)[multipart/signed,text/plain];
 R_DKIM_NA(0.00)[]; DMARC_NA(0.00)[punkt.de];
 SPAMHAUS_ZRD(0.00)[217.29.41.227:from:127.0.2.255];
 TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_COUNT_TWO(0.00)[2];
 RCVD_TLS_ALL(0.00)[]; MAILMAN_DEST(0.00)[freebsd-net]
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 22 Nov 2020 18:38:04 -0000


--Apple-Mail=_BCFAD5D2-7B18-4F7F-8256-3D7AF45CB21D
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=utf-8

Hi!

> Am 21.11.2020 um 23:42 schrieb Saad, Mark <Mark.Saad@lucera.com>:
> This is sort of an abstract question.  When using pf to only preform =
nat do I need to have at least one
> rule ? Can I omit the boiler plate "scrub rule " ?  Other then =
allowing fragments and other fun
> stuff to get passed would this have any other implications ?

Here=E2=80=99s my /etc/pf.conf on my DigitalOcean droplet that I use
as a WireGuard endpoint if I need an =E2=80=9EUS IP address=E2=80=9C for =
some reason:

=E2=80=94=E2=80=94=E2=80=94=E2=80=94=E2=80=94
root@do:~ # cat /etc/pf.conf
nat on vtnet0 from 192.168.254.0/24 to any -> 134.209.*.*
nat on vtnet0 from 2003:a:****:****::/64 to any -> =
2604:a880:400:d1::****:****
pass all
=E2=80=94=E2=80=94=E2=80=94=E2=80=94=E2=80=94

6to6-NAT because of the restrictions of that droplet (cheapest tier).
And pf because ipfw could not do 6to6 last I checked - i am way more
familiar with ipfw.

But I guess that answers your question with a clear yes.

Kind regards,
Patrick
--
punkt.de GmbH
Patrick M. Hausen
.infrastructure

Kaiserallee 13a
76133 Karlsruhe

Tel. +49 721 9109500

https://infrastructure.punkt.de
info@punkt.de

AG Mannheim 108285
Gesch=C3=A4ftsf=C3=BChrer: J=C3=BCrgen Egeling, Daniel Lienert, Fabian =
Stein


--Apple-Mail=_BCFAD5D2-7B18-4F7F-8256-3D7AF45CB21D
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
	filename=signature.asc
Content-Type: application/pgp-signature;
	name=signature.asc
Content-Description: Message signed with OpenPGP

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEgzqrjO/mj9CSsTg2kG8u4u3aiVwFAl+6sAIACgkQkG8u4u3a
iVwcWAf/U2AKO47B2yl+Bg3c1esrrF/YfLDAIHaNwm5+1Ah9qHxIWY/fVbtcO8dC
Nc16Bxk0jzuFCd9OjGmaB42x9ZfCqv7EPluMMBMKZZpXCQqIbqm4189HLUg71nNz
FFUFABMd143dgtKL2SuPTg8sEPeF3UeOoT/RGhw7eGsjN3YJu3OBK4ZLqtDI7bLc
tqeHw/QMqTDkKFqV2XuzA6TVNvesoE9jbg8pgbSmwqRCwkIl+A1s5vNyibbAjaJT
dTLcMHseUmIQdo03V1bYBWa5J3iPnOoTJqjDbyMXUzYVHuYna/yAGVAoe0r1FffO
J8ZVhIxVO/wDB0KvSbH6HARFx1jEfg==
=9WS4
-----END PGP SIGNATURE-----

--Apple-Mail=_BCFAD5D2-7B18-4F7F-8256-3D7AF45CB21D--