From owner-freebsd-pf@FreeBSD.ORG Thu Jan 3 04:40:17 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3B7C816A418 for ; Thu, 3 Jan 2008 04:40:17 +0000 (UTC) (envelope-from fox@verio.net) Received: from dfw-smtpout2.email.verio.net (dfw-smtpout2.email.verio.net [129.250.36.42]) by mx1.freebsd.org (Postfix) with ESMTP id 0EF6713C4F4 for ; Thu, 3 Jan 2008 04:40:17 +0000 (UTC) (envelope-from fox@verio.net) Received: from [129.250.36.64] (helo=dfw-mmp4.email.verio.net) by dfw-smtpout2.email.verio.net with esmtp id 1JAHOr-0005GY-EP for freebsd-pf@freebsd.org; Thu, 03 Jan 2008 04:09:45 +0000 Received: from [129.250.40.241] (helo=limbo.int.dllstx01.us.it.verio.net) by dfw-mmp4.email.verio.net with esmtp id 1JAHOr-0003tx-Ai for freebsd-pf@freebsd.org; Thu, 03 Jan 2008 04:09:45 +0000 Received: by limbo.int.dllstx01.us.it.verio.net (Postfix, from userid 1000) id 03EA38E296; Wed, 2 Jan 2008 22:09:42 -0600 (CST) Date: Wed, 2 Jan 2008 22:09:42 -0600 From: David DeSimone To: freebsd-pf@freebsd.org Message-ID: <20080103040942.GD10272@verio.net> Mail-Followup-To: freebsd-pf@freebsd.org References: <200801022126.m02LQ815007027@lava.sentex.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; x-action=pgp-signed Content-Disposition: inline In-Reply-To: <200801022126.m02LQ815007027@lava.sentex.ca> Precedence: bulk User-Agent: Mutt/1.5.9i Subject: Re: use of ! in nat broken ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Jan 2008 04:40:17 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mike Tancsa wrote: > > It very well could be the booze 2 nights ago making me misread > something obvious, but should not > > nat on $ext_if from {$internal204,!$server1,!$server2} to any -> > $officepublicIP > > be the same as > > nat on $ext_if from > {10.0.0.1,10.0.0.4,10.0.0.5,10.0.0.6,10.0.0.7,10.0.0.8/29,10.0.0.16/28,10.0.0.32/27} > to any -> $officepublicIP > > and the same as > > nat on $ext_if from <204network> to any -> $officepublicIP > > Where > officepublicIP=67.43.133.205 > internal204=10.0.0.0/26 > server1=10.0.0.2/32 > server2=10.0.0.3/32 > table <204network> {!$server1,!$server2,$internal204} The mistake you're making here is the consider pf's syntax to be a combined AND'd statement of boolean logic, which it is not. It is really just simple macro expansion, which does not equate to the same thing. As you noted, a rule such as this: nat on $ext_if from {$internal204,!$server1,!$server2} \ to any -> $officepublicIP equates to the expanded ruleset: nat on $ext_if from $internal204 to any -> $officepublicIP nat on $ext_if from !$server1 to any -> $officepublicIP nat on $ext_if from !$server2 to any -> $officepublicIP Since $server1 is on the same network as $internal204, server1's traffic will be NAT'd because it matches rule 1. And worse, rule 2 matches nearly any traffic you forward, and even matches the firewall's own traffic, because almost any source IP seen by the firewall will be "not $server1's IP," so it matches the rule. It sounds like what you really want is a clever collection of "no nat" rules to prevent NAT from happening on certain addresses, followed by "nat", such as: no nat on $ext_if from {$server1,$server2} to any nat on $ext_if from $internal204 to any -> $officepublicIP This has the desired expansion: no nat on $ext_if from $server1 to any no nat on $ext_if from $server2 to any nat on $ext_if from $internal204 to any -> $officepublicIP and hopefully does what you want. - -- David DeSimone == Network Admin == fox@verio.net "This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, dis- tribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio, Inc. makes no warranty that this email is error or virus free. Thank you." --Lawyer Bot 6000 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFHfGAGFSrKRjX5eCoRAnUrAKCM/NdenkUf0ZC2RacHbeC6c3jClQCglsqy lHTgA/StUPdtsbZyobehGhc= =9kR3 -----END PGP SIGNATURE-----