Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 5 Apr 2008 13:42:33 +0400
From:      Igor Zinovik <zinovik@kspu.karelia.ru>
To:        freebsd-pf@freebsd.org
Subject:   pf + NAT + bridge
Message-ID:  <20080405094233.GA64607@zinovik.kspu.karelia.ru>
next in thread | raw e-mail | index | archive | help 
           Hello, freebsd-pf@ readers.

I'm working with following setup: we are running freebsd box that is
used as internet access gateway.  Currently ipf i used as firewall
package.  But i want to switch from ipf to pf.  In my opinion setup is
awkward (do not ask why): machine is acting as bridge and have to
provide access to some internal hosts (e.g.  www) from public internet.
Bridge was made to provide transparent access to several trusted
networks to access internal host that holds database needed by clients in
these subnets (also do not ask why VPN is not implemented).  Also
current ruleset is damn huge and ugly.

                        [ Internet ]
                             |
                             |
           [ mynetwork ]---[gate]---[ subnet_2 ]
                             |
                             |
                         [ subnet_3 ]

I read the docs across the network and understanded that pf cannot track
states on bridge (at least on one interface of bridge).

So my question is can pf handle rdr when machine is acting as bridge?

My ruleset does not allow to access internal hosts from public internet.
I understanded that i have to track state for udp connections,
otherwise pf blocks dns responses.  ftp-proxy also does not work with
this setup, i may assume this is beacase i do not keep state on internal
interface.  There is also an strange timeouts (up 20 seconds) with smtp
connections to mail server, but pop3 works fine.

/etc/pf.conf:

scrub in all

rdr pass on $ext_if inet proto tcp from any to $www_public_ip port { ssh, www, ftp, ftp-data } -> $www_private_ip

rdr pass on $int_if inet proto tcp from any to any port ftp -> 127.0.0.1 port 8021

block return-rst proto tcp all

block all

pass quick on $int_if all
pass out on $ext_if all

pass in quick on $ext_if proto tcp to self port ssh flags S/SA keep state

pass out on $ext_if inet proto udp from any to any port domain keep state
pass in quick on $ext_if proto tcp from any to $www_private_ip port www flags S/SA keep state
pass in quick on $ext_if proto tcp from any to $mail_public_ip port { smtp, pop3, www } flags S/SA keep state

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080405094233.GA64607>