From owner-freebsd-pf@FreeBSD.ORG Wed Apr 12 04:51:00 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AD77316A404 for ; Wed, 12 Apr 2006 04:51:00 +0000 (UTC) (envelope-from cdtelting-ml@comcast.net) Received: from sccrmhc14.comcast.net (sccrmhc14.comcast.net [204.127.200.84]) by mx1.FreeBSD.org (Postfix) with ESMTP id 54F1143D45 for ; Wed, 12 Apr 2006 04:51:00 +0000 (GMT) (envelope-from cdtelting-ml@comcast.net) Received: from [192.168.2.64] (c-24-126-49-116.hsd1.ca.comcast.net[24.126.49.116]) by comcast.net (sccrmhc14) with ESMTP id <200604120450590140087qt4e>; Wed, 12 Apr 2006 04:50:59 +0000 Message-ID: <443C8739.6060507@comcast.net> Date: Tue, 11 Apr 2006 21:51:05 -0700 From: Chris Telting User-Agent: Mozilla Thunderbird 1.0.7 (Windows/20050923) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Nat interfering with filtering rules X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Apr 2006 04:51:00 -0000 Hello everyone, pf newbie here. I've been playing with rules for a day and I can't seem to wrap my head around what I'm suppose to do. First off I believe in "block all" and want an explicit opt in system. Nat is kind of getting in the way. pf.conf ------------- int_if="em0" ext_if="rl0" int_net="192.168.2.0/24" # Nat supposedly wants to be at he top of the list nat on $ext_if from $int_if:network to any -> ($ext_if) # Block everything, all rules are eqplicitly opt in block log all # Allow all local trafic on local network pass in on $int_if from $int_if:network to any pass out on $int_if from $int_if:network to any # Pass out to internet all local network trafic and keep state to allow connect pass out on $ext_if from $int_if:network to any keep state #pass from any to any This doesn't work because the packet IP address has already tanslated before the filter could get to it on $ext_if. If I change the rule to "from $ext_if" I can't distinguish between packets origionating on the local network verses the gateway/server. And if I do so anyway even if I specify "keep state" the returning packets don't get through from their external IP addresses. Only if I declare explicit pass in rules from specific ip addreses will I get return trafic. Is there anyway to do with without using a blanket "from any to any"? My first line of defence is identifiing the trafic source. Can I possiably change the priority of Nat so that it is the last action processed? Of course after I get it working I'll add port spefic rules. I'll appreciate any help offered. Blue