From owner-freebsd-pf@FreeBSD.ORG Wed May 21 04:28:41 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 67D93106564A for ; Wed, 21 May 2008 04:28:41 +0000 (UTC) (envelope-from jdc@parodius.com) Received: from mx01.sc1.parodius.com (mx01.sc1.parodius.com [72.20.106.3]) by mx1.freebsd.org (Postfix) with ESMTP id 604B88FC1B for ; Wed, 21 May 2008 04:28:41 +0000 (UTC) (envelope-from jdc@parodius.com) Received: by mx01.sc1.parodius.com (Postfix, from userid 1000) id 4EC171CC033; Tue, 20 May 2008 21:28:41 -0700 (PDT) Date: Tue, 20 May 2008 21:28:41 -0700 From: Jeremy Chadwick To: "Jason C. Wells" Message-ID: <20080521042841.GA69249@eos.sc1.parodius.com> References: <48337A93.9090003@highperformance.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <48337A93.9090003@highperformance.net> User-Agent: Mutt/1.5.17 (2007-11-01) Cc: freebsd-pf@freebsd.org Subject: Re: nat pass and state X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 May 2008 04:28:41 -0000 On Tue, May 20, 2008 at 06:27:47PM -0700, Jason C. Wells wrote: > I have these rules (and others) in pf.conf: > > nat pass on $ext_if from $int_net to any -> ($ext_if) > > block in all > block out all > > I cannot connect to websites unless I also add: > > pass proto { tcp, udp } from any to any port http keep state > > My understanding is that nat rules are inherently stateful. I also > understand that a packet that matches state bypasses filter rules. A hit > on a web page should generate a state on the way out and then match that > state on the way back in, avoiding the block rules. By testing, I show > that the pass http rule is needed to complete the connection. > > Would someone please explain why the nat rule is not sufficient to allow me > to access a web page? I must have a gross conceptual error on how PF > works. This is too simple, but I just don't get it. I believe it's because pf(4) doesn't make assumptions about what you want to filter. NAT is stateful (it has to be, because packets are being re-written, and the WAN-side port numbers are going to be different than the LAN-side), but filtering rules still apply **after** the translation has been done. What's happening is that your nat rule results in pf re-writing the packet, then the packet is immediately blocked by one of your block rules (I'm assuming "block out"). The pf.conf manpage documents this, more or less: Since translation occurs before filtering the filter engine will see packets as they look after any addresses and ports have been translated. Filter rules will therefore have to filter based on the translated address and port number. Packets that match a translation rule are only automatically passed if the pass modifier is given, otherwise they are still subject to block and pass rules. -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB |