From owner-freebsd-pf@FreeBSD.ORG Mon Sep 8 07:05:07 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5F3681065680 for ; Mon, 8 Sep 2008 07:05:06 +0000 (UTC) (envelope-from mouss@netoyen.net) Received: from imlil.netoyen.net (imlil.netoyen.net [91.121.103.130]) by mx1.freebsd.org (Postfix) with ESMTP id 1FC1B8FC2B for ; Mon, 8 Sep 2008 07:05:06 +0000 (UTC) (envelope-from mouss@netoyen.net) Received: from localhost (localhost [127.0.0.1]) by imlil.netoyen.net (Postfix) with ESMTP id B80B7E54829 for ; Mon, 8 Sep 2008 08:50:54 +0200 (CEST) X-Virus-Scanned: amavisd-new at netoyen.net Received: from [192.168.1.65] (ouzoud.netoyen.net [82.239.111.75]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: mouss@netoyen.net) by smtp.netoyen.net (Postfix) with ESMTPSA id 5A963E54826 for ; Mon, 8 Sep 2008 08:50:52 +0200 (CEST) Message-ID: <48C4CB18.6010905@netoyen.net> Date: Mon, 08 Sep 2008 08:50:00 +0200 From: mouss User-Agent: Thunderbird 2.0.0.12 (Windows/20080213) MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <1220706618.48c2813ab9cc6@imp.free.fr> <20080906204042.16491860@desktop> <20080906191403.GJ1949@verio.net> <20080906214155.52c6f2e7@desktop> <20080906223103.GK1949@verio.net> In-Reply-To: <20080906223103.GK1949@verio.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: bidirectional NAT in PF? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Sep 2008 07:05:07 -0000 David DeSimone wrote: > I think I am using the wrong terminology. I should probably call it > "double NAT" to differentiate it. "binat" works fine but it still only > changes ONE of the IP's being translated (the source IP). In PF, you > can use "nat" to translate the source IP, and "redir" to change the dest > IP, but what if you want to change both? There is no direct way to do > this, so I am wondering if two different rules could be matched at > different times during the packet's transit through the gateway. > the common way is to use two rules: a nat and an rdr. This is used to fix the "reflection problem" for instance. I have used it with ipfilter in the past (though not for a reflection issue, but for a dmz setup), but I guess it works similarly on pf and other filters.