From owner-freebsd-pf@FreeBSD.ORG Wed Jan 2 21:26:10 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7820816A418 for ; Wed, 2 Jan 2008 21:26:10 +0000 (UTC) (envelope-from mike@sentex.net) Received: from smarthost1.sentex.ca (smarthost1.sentex.ca [64.7.153.18]) by mx1.freebsd.org (Postfix) with ESMTP id 22C3E13C4CE for ; Wed, 2 Jan 2008 21:26:09 +0000 (UTC) (envelope-from mike@sentex.net) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by smarthost1.sentex.ca (8.13.8/8.13.8) with ESMTP id m02LQ9VI009688 for ; Wed, 2 Jan 2008 16:26:09 -0500 (EST) (envelope-from mike@sentex.net) Received: from mdt-xp.sentex.net (simeon.sentex.ca [192.168.43.27]) by lava.sentex.ca (8.13.8/8.13.3) with ESMTP id m02LQ815007027 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Wed, 2 Jan 2008 16:26:08 -0500 (EST) (envelope-from mike@sentex.net) Message-Id: <200801022126.m02LQ815007027@lava.sentex.ca> X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Wed, 02 Jan 2008 16:28:11 -0500 To: freebsd-pf@freebsd.org From: Mike Tancsa Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Subject: use of ! in nat broken ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Jan 2008 21:26:10 -0000 It very well could be the booze 2 nights ago making me misread something obvious, but should not nat on $ext_if from {$internal204,!$server1,!$server2} to any -> $officepublicIP be the same as nat on $ext_if from {10.0.0.1,10.0.0.4,10.0.0.5,10.0.0.6,10.0.0.7,10.0.0.8/29,10.0.0.16/28,10.0.0.32/27} to any -> $officepublicIP and the same as nat on $ext_if from <204network> to any -> $officepublicIP Where officepublicIP=67.43.133.205 internal204=10.0.0.0/26 server1=10.0.0.2/32 server2=10.0.0.3/32 table <204network> {!$server1,!$server2,$internal204} If I use the first nat statement, traffic from my DMZ (199.212.134.7) gets natted as $officepublicIP. If I use the second (explicit list) or third (define the list in a table) all works as expected and 199.212.134.7 does not get caught up in the nat statement. # pfctl -sn nat on tun0 inet from 192.168.10.0/24 to any -> (tun0:0) nat on tun0 inet from 10.0.0.0/26 to any -> 67.43.133.205 nat on tun0 inet from ! 10.0.0.2 to any -> 67.43.133.205 nat on tun0 inet from ! 10.0.0.3 to any -> 67.43.133.205 nat on tun0 inet from 192.168.1.0/24 to any -> 67.43.133.204 binat on tun0 inet from 10.0.0.2 to any -> 67.43.133.206 binat on tun0 inet from 10.0.0.3 to any -> 67.43.133.207 vs # pfctl -sn nat on tun0 inet from 192.168.10.0/24 to any -> (tun0:0) nat on tun0 inet from 10.0.0.1 to any -> 67.43.133.205 nat on tun0 inet from 10.0.0.4 to any -> 67.43.133.205 nat on tun0 inet from 10.0.0.5 to any -> 67.43.133.205 nat on tun0 inet from 10.0.0.6 to any -> 67.43.133.205 nat on tun0 inet from 10.0.0.7 to any -> 67.43.133.205 nat on tun0 inet from 10.0.0.8/29 to any -> 67.43.133.205 nat on tun0 inet from 10.0.0.16/28 to any -> 67.43.133.205 nat on tun0 inet from 10.0.0.32/27 to any -> 67.43.133.205 nat on tun0 inet from 192.168.1.0/24 to any -> 67.43.133.204 binat on tun0 inet from 10.0.0.2 to any -> 67.43.133.206 binat on tun0 inet from 10.0.0.3 to any -> 67.43.133.207 vs # pfctl -sn nat on tun0 inet from 192.168.10.0/24 to any -> (tun0:0) nat on tun0 inet from <204network> to any -> 67.43.133.205 nat on tun0 inet from 192.168.1.0/24 to any -> 67.43.133.204 binat on tun0 inet from 10.0.0.2 to any -> 67.43.133.206 binat on tun0 inet from 10.0.0.3 to any -> 67.43.133.207 Kernel is 6.3-PRERELEASE FreeBSD 6.3-PRERELEASE #0: Fri Dec 14 15:02:59 EST 2007 I dont see anything new in the pf tree since then. ---Mike -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet since 1994 www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike