Date: Wed, 2 Jan 2008 22:09:42 -0600 From: David DeSimone <fox@verio.net> To: freebsd-pf@freebsd.org Subject: Re: use of ! in nat broken ? Message-ID: <20080103040942.GD10272@verio.net> In-Reply-To: <200801022126.m02LQ815007027@lava.sentex.ca> References: <200801022126.m02LQ815007027@lava.sentex.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Mike Tancsa <mike@sentex.net> wrote:
>
> It very well could be the booze 2 nights ago making me misread
> something obvious, but should not
>
> nat on $ext_if from {$internal204,!$server1,!$server2} to any ->
> $officepublicIP
>
> be the same as
>
> nat on $ext_if from
> {10.0.0.1,10.0.0.4,10.0.0.5,10.0.0.6,10.0.0.7,10.0.0.8/29,10.0.0.16/28,10.0.0.32/27}
> to any -> $officepublicIP
>
> and the same as
>
> nat on $ext_if from <204network> to any -> $officepublicIP
>
> Where
> officepublicIP=67.43.133.205
> internal204=10.0.0.0/26
> server1=10.0.0.2/32
> server2=10.0.0.3/32
> table <204network> {!$server1,!$server2,$internal204}
The mistake you're making here is the consider pf's syntax to be a
combined AND'd statement of boolean logic, which it is not. It is
really just simple macro expansion, which does not equate to the same
thing.
As you noted, a rule such as this:
nat on $ext_if from {$internal204,!$server1,!$server2} \
to any -> $officepublicIP
equates to the expanded ruleset:
nat on $ext_if from $internal204 to any -> $officepublicIP
nat on $ext_if from !$server1 to any -> $officepublicIP
nat on $ext_if from !$server2 to any -> $officepublicIP
Since $server1 is on the same network as $internal204, server1's traffic
will be NAT'd because it matches rule 1. And worse, rule 2 matches
nearly any traffic you forward, and even matches the firewall's own
traffic, because almost any source IP seen by the firewall will be
"not $server1's IP," so it matches the rule.
It sounds like what you really want is a clever collection of "no nat"
rules to prevent NAT from happening on certain addresses, followed by
"nat", such as:
no nat on $ext_if from {$server1,$server2} to any
nat on $ext_if from $internal204 to any -> $officepublicIP
This has the desired expansion:
no nat on $ext_if from $server1 to any
no nat on $ext_if from $server2 to any
nat on $ext_if from $internal204 to any -> $officepublicIP
and hopefully does what you want.
- --
David DeSimone == Network Admin == fox@verio.net
"This email message is intended for the use of the person to whom
it has been sent, and may contain information that is confidential
or legally protected. If you are not the intended recipient or have
received this message in error, you are not authorized to copy, dis-
tribute, or otherwise use this message or its attachments. Please
notify the sender immediately by return e-mail and permanently delete
this message and any attachments. Verio, Inc. makes no warranty that
this email is error or virus free. Thank you." --Lawyer Bot 6000
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFHfGAGFSrKRjX5eCoRAnUrAKCM/NdenkUf0ZC2RacHbeC6c3jClQCglsqy
lHTgA/StUPdtsbZyobehGhc=
=9kR3
-----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080103040942.GD10272>