Date: Wed, 02 Jan 2008 16:28:11 -0500 From: Mike Tancsa <mike@sentex.net> To: freebsd-pf@freebsd.org Subject: use of ! in nat broken ? Message-ID: <200801022126.m02LQ815007027@lava.sentex.ca>
index | next in thread | raw e-mail
It very well could be the booze 2 nights ago making me misread
something obvious, but should not
nat on $ext_if from {$internal204,!$server1,!$server2} to any ->
$officepublicIP
be the same as
nat on $ext_if from
{10.0.0.1,10.0.0.4,10.0.0.5,10.0.0.6,10.0.0.7,10.0.0.8/29,10.0.0.16/28,10.0.0.32/27}
to any -> $officepublicIP
and the same as
nat on $ext_if from <204network> to any -> $officepublicIP
Where
officepublicIP=67.43.133.205
internal204=10.0.0.0/26
server1=10.0.0.2/32
server2=10.0.0.3/32
table <204network> {!$server1,!$server2,$internal204}
If I use the first nat statement, traffic from my DMZ (199.212.134.7)
gets natted as $officepublicIP. If I use the second (explicit list)
or third (define the list in a table) all works as expected and
199.212.134.7 does not get caught up in the nat statement.
# pfctl -sn
nat on tun0 inet from 192.168.10.0/24 to any -> (tun0:0)
nat on tun0 inet from 10.0.0.0/26 to any -> 67.43.133.205
nat on tun0 inet from ! 10.0.0.2 to any -> 67.43.133.205
nat on tun0 inet from ! 10.0.0.3 to any -> 67.43.133.205
nat on tun0 inet from 192.168.1.0/24 to any -> 67.43.133.204
binat on tun0 inet from 10.0.0.2 to any -> 67.43.133.206
binat on tun0 inet from 10.0.0.3 to any -> 67.43.133.207
vs
# pfctl -sn
nat on tun0 inet from 192.168.10.0/24 to any -> (tun0:0)
nat on tun0 inet from 10.0.0.1 to any -> 67.43.133.205
nat on tun0 inet from 10.0.0.4 to any -> 67.43.133.205
nat on tun0 inet from 10.0.0.5 to any -> 67.43.133.205
nat on tun0 inet from 10.0.0.6 to any -> 67.43.133.205
nat on tun0 inet from 10.0.0.7 to any -> 67.43.133.205
nat on tun0 inet from 10.0.0.8/29 to any -> 67.43.133.205
nat on tun0 inet from 10.0.0.16/28 to any -> 67.43.133.205
nat on tun0 inet from 10.0.0.32/27 to any -> 67.43.133.205
nat on tun0 inet from 192.168.1.0/24 to any -> 67.43.133.204
binat on tun0 inet from 10.0.0.2 to any -> 67.43.133.206
binat on tun0 inet from 10.0.0.3 to any -> 67.43.133.207
vs
# pfctl -sn
nat on tun0 inet from 192.168.10.0/24 to any -> (tun0:0)
nat on tun0 inet from <204network> to any -> 67.43.133.205
nat on tun0 inet from 192.168.1.0/24 to any -> 67.43.133.204
binat on tun0 inet from 10.0.0.2 to any -> 67.43.133.206
binat on tun0 inet from 10.0.0.3 to any -> 67.43.133.207
Kernel is 6.3-PRERELEASE FreeBSD 6.3-PRERELEASE #0: Fri Dec 14
15:02:59 EST 2007
I dont see anything new in the pf tree since then.
---Mike
--------------------------------------------------------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mike@sentex.net
Providing Internet since 1994 www.sentex.net
Cambridge, Ontario Canada www.sentex.net/mike
home |
help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200801022126.m02LQ815007027>