From owner-freebsd-pf@FreeBSD.ORG Wed Apr 12 05:25:13 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5318116A404 for ; Wed, 12 Apr 2006 05:25:13 +0000 (UTC) (envelope-from jsimola@gmail.com) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.239]) by mx1.FreeBSD.org (Postfix) with ESMTP id C747643D49 for ; Wed, 12 Apr 2006 05:25:12 +0000 (GMT) (envelope-from jsimola@gmail.com) Received: by wproxy.gmail.com with SMTP id i13so1120891wra for ; Tue, 11 Apr 2006 22:25:11 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:sender:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=nPZBVTv7bxHwO8+CPBuKrUF+qXptIyN3FL9jMfyESlFgThYI0Sw1u7qt6Srp47aeoDgYe8XZ7fZWfM8+B5cC+y4cYgGRUPLHKr7meIXrAzpeEIqALJDrdlo20JVYiPVFD5lqQdYDLNjM2kh32iCCW0j1ZVtIrAAAu9y42ptxqYA= Received: by 10.54.142.18 with SMTP id p18mr4516265wrd; Tue, 11 Apr 2006 22:25:10 -0700 (PDT) Received: by 10.54.70.8 with HTTP; Tue, 11 Apr 2006 22:25:10 -0700 (PDT) Message-ID: <8eea04080604112225s4d5c8280ocec9d6a8c3733ea@mail.gmail.com> Date: Tue, 11 Apr 2006 22:25:10 -0700 From: "Jon Simola" Sender: jsimola@gmail.com To: "Chris Telting" In-Reply-To: <443C8739.6060507@comcast.net> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <443C8739.6060507@comcast.net> Cc: freebsd-pf@freebsd.org Subject: Re: Nat interfering with filtering rules X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Apr 2006 05:25:13 -0000 On 4/11/06, Chris Telting wrote: > pf newbie here. I've been playing with rules for a day and I can't seem > to wrap my head around > what I'm suppose to do. First off I believe in "block all" and want an > explicit opt in system. Nat > is kind of getting in the way. Have you read through the well commented example in the PF users guide at http://www.openbsd.org/faq/pf/example1.html ? > > pf.conf > ------------- > int_if=3D"em0" > ext_if=3D"rl0" > int_net=3D"192.168.2.0/24" > > # Nat supposedly wants to be at he top of the list > nat on $ext_if from $int_if:network to any -> ($ext_if) > > # Block everything, all rules are eqplicitly opt in > block log all > # Allow all local trafic on local network > pass in on $int_if from $int_if:network to any > pass out on $int_if from $int_if:network to any > # Pass out to internet all local network trafic and keep state to allow > connect > pass out on $ext_if from $int_if:network to any keep state > #pass from any to any > > This doesn't work because the packet IP address has already tanslated > before the filter > could get to it on $ext_if. If I change the rule to "from $ext_if" I > can't distinguish between > packets origionating on the local network verses the gateway/server. You *could* do that by tagging in the NAT rule if you needed to. Personally, I haven't run into any situation where I needed to do that. > And if I do so anyway > even if I specify "keep state" the returning packets don't get through > from their external IP > addresses. You haven't allowed traffic out of the internal interface (pass out on $int_of from any to $int_if:network). > Only if I declare explicit pass in rules from specific ip > addreses will I get return > trafic. Is there anyway to do with without using a blanket "from any to > any"? My first line of > defence is identifiing the trafic source. Can I possiably change the > priority of Nat so that it is > the last action processed? No, in PF the translation rules are always processed first. > Of course after I get it working I'll add port spefic rules. I'll > appreciate any help offered. The man page for pf.conf can be a pretty intimidating read, I've got a couple network guys that have been going over it for a couple months and are still figuring out the more intricate options. The sample pf.conf is fairly decent, but the OpenBSD PF user's guide at http://www.openbsd.org/faq/pf/index.html is a good read and will go a long way towards understanding how it works. -- Jon Simola Systems Administrator ABC Communications