Date: Tue, 20 May 2008 22:03:32 -0700 From: "Jason C. Wells" <jcw@highperformance.net> To: Jeremy Chadwick <koitsu@FreeBSD.org> Cc: freebsd-pf@FreeBSD.org Subject: Re: nat pass and state Message-ID: <4833AD24.1040105@highperformance.net> In-Reply-To: <20080521042841.GA69249@eos.sc1.parodius.com> References: <48337A93.9090003@highperformance.net> <20080521042841.GA69249@eos.sc1.parodius.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Jeremy Chadwick wrote:
> I believe it's because pf(4) doesn't make assumptions about what you
> want to filter. NAT is stateful (it has to be, because packets are
> being re-written, and the WAN-side port numbers are going to be
> different than the LAN-side), but filtering rules still apply **after**
> the translation has been done.
>
> What's happening is that your nat rule results in pf re-writing the
> packet, then the packet is immediately blocked by one of your block
> rules (I'm assuming "block out").
>
> The pf.conf manpage documents this, more or less:
>
> Since translation occurs before filtering the filter engine will see
> packets as they look after any addresses and ports have been translated.
> Filter rules will therefore have to filter based on the translated
> address and port number. Packets that match a translation rule are only
> automatically passed if the pass modifier is given, otherwise they are
> still subject to block and pass rules.
I guess my misunderstanding comes in where the pass modifier is
concerned. I also have a weak understand of what "state" actually means.
The "automatically passsed" part of your citation isn't
automatically passing.
I think I'll just drop the pass modifier on the NAT rule. Then it
becomes precisely clear to me that I need a filter rule after the nat rule.
Regards,
Jason
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4833AD24.1040105>