From owner-freebsd-questions@FreeBSD.ORG  Tue Mar 10 22:52:49 2009
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 79C981065675
	for <freebsd-questions@freebsd.org>;
	Tue, 10 Mar 2009 22:52:49 +0000 (UTC) (envelope-from dc@dcoder.net)
Received: from ns2.dcoder.net (207-126-122-62.ip.openhosting.com
	[207.126.122.62])
	by mx1.freebsd.org (Postfix) with ESMTP id 5752F8FC21
	for <freebsd-questions@freebsd.org>;
	Tue, 10 Mar 2009 22:52:49 +0000 (UTC) (envelope-from dc@dcoder.net)
Received: by ns2.dcoder.net (Postfix, from userid 500)
	id E83CB1330253; Tue, 10 Mar 2009 18:52:48 -0400 (EDT)
Date: Tue, 10 Mar 2009 18:52:48 -0400
From: dacoder <dc@dcoder.net>
To: freebsd-questions@freebsd.org
Message-ID: <20090310225248.GF31232@mail2.dcoder.net>
Mail-Followup-To: freebsd-questions@freebsd.org
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Disposition: inline
User-Agent: Mutt/1.4.1i
Subject: puzzling ipnat behavior
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Mar 2009 22:52:49 -0000

i've asked this question before, but i must have been unclear.  i hope this
is better:

i'm puzzled by how ipnat works, particularly by the fact that when the ip's
on an inside nic are mapped to the ip on my outside nic, i have to configure
ipfilter to allow any ip that might hit the outside nic access to the ip's on
the inside nic.  so, where wpi0 is the outside nic & the 1st /24 in 10.0.0.0
contains the ip of the inside nic & everything behind it:

ipnat.rules:  allow wpi0 10.0.0.0/24 -> <ip on outside nic>/32

ipf.rules:    pass in quick from any to 10.0.0.0/24

i should have thought that since everything coming from outside to
10.0.0.0/24 is addressed to the <ip on outside nic> this would be
sufficient:

		pass in quick from <ip on outside nic> to 10.0.0.0/24

but it isn't.

what's wrong w/ my thinking?  & why isn't this rule a security hazard?

david coder
network engineer emeritus
ntt/verio