From owner-freebsd-pf@FreeBSD.ORG Wed Nov 3 18:22:09 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1397016A4CE for ; Wed, 3 Nov 2004 18:22:09 +0000 (GMT) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.184]) by mx1.FreeBSD.org (Postfix) with ESMTP id A236043D2F for ; Wed, 3 Nov 2004 18:22:08 +0000 (GMT) (envelope-from max@love2party.net) Received: from [212.227.126.205] (helo=mrelayng.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 1CPPln-000552-00; Wed, 03 Nov 2004 19:22:07 +0100 Received: from [217.83.7.152] (helo=donor.laier.local) by mrelayng.kundenserver.de with asmtp (TLSv1:RC4-MD5:128) (Exim 3.35 #1) id 1CPPli-0000ql-00; Wed, 03 Nov 2004 19:22:07 +0100 From: Max Laier To: freebsd-pf@freebsd.org, =?iso-8859-1?q?C=E9dric_Jonas?= Date: Wed, 3 Nov 2004 19:21:46 +0100 User-Agent: KMail/1.7 References: <938471846.20041102145316@virtual-globe.net> In-Reply-To: <938471846.20041102145316@virtual-globe.net> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart6787904.Es3Fh4MT01"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200411031921.53192.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de auth:61c499deaeeba3ba5be80f48ecc83056 Subject: Re: NAT Loopback X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Nov 2004 18:22:09 -0000 --nextPart6787904.Es3Fh4MT01 Content-Type: text/plain; charset="iso-8859-15" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline [ Sorry for the delay, EuroBSDCon has been demanding - and a lot of FUN! ] Hi C=E9dric, On Tuesday 02 November 2004 14:53, C=E9dric Jonas wrote: > Since 5 days, I try to install PF on my Server, to replace my old > hardware router... Until now, everything was ok, better als the old > router - BUT, what I miss is the NAT Loopback functionnality (so > that IP packets which comes from the LAN and are destined to my WAN > IP, leaves effectively the WAN interface and come back through the > WAN interface =3D> the packet is subjected to the filter rulesets for > incoming packets on my WAN interface =3D NAT Loopback) > I found this in the OpenBSD PF FAQ: > http://www.openbsd.org/faq/pf/rdr.html#rdrnat, but it isn't what I > search, because the packets don't leave and reentry the WAN > interface. You can try to add a rule in the form of: pass in on $internal_if route-to ($external_if $external_ip) \ from any to $external_ip This will loopback all traffic hitting the internal interface destinated to= =20 the external IP via the external interface. Be aware of the overhead of thi= s=20 approach. Depending on your setup it might be easier to replicate the desir= ed=20 restrictions for the internal interface. > I hope that one will be able to help me here (and that I described > it understandably), it's my last > possibility I think. It's always helpful to post your ruleset, so that we can tell you where to = put=20 new rules or to explain which rules do cause the problem you are seeing.=20 Don't be too afraid to post your rulesets - fortunately *BSD and the defaul= t=20 services it provides are a whole lot more secure than seen elsewhere ;) > Sorry for my bad englisch, but I do what I can ;-) Oh c'mon - I've seen worse and that includes me sometime. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart6787904.Es3Fh4MT01 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQBBiSHBXyyEoT62BG0RAjb3AJ9/JtLAYXZVnd7n29gUATB+b+eNjQCbBJTf w1sknnBwRzy8NxuPvedeJeA= =DQ1C -----END PGP SIGNATURE----- --nextPart6787904.Es3Fh4MT01--