From owner-freebsd-pf@FreeBSD.ORG Wed May 21 05:03:35 2008 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E9ECF1065685 for ; Wed, 21 May 2008 05:03:35 +0000 (UTC) (envelope-from jcw@highperformance.net) Received: from mail24.sea5.speakeasy.net (mail24.sea5.speakeasy.net [69.17.117.26]) by mx1.freebsd.org (Postfix) with ESMTP id C62818FC1B for ; Wed, 21 May 2008 05:03:35 +0000 (UTC) (envelope-from jcw@highperformance.net) Received: (qmail 15968 invoked from network); 21 May 2008 05:03:35 -0000 Received: from mxperim1.sea5.speakeasy.net ([69.17.117.66]) (envelope-sender ) by mail24.sea5.speakeasy.net (qmail-ldap-1.03) with SMTP for ; 21 May 2008 05:03:35 -0000 Received: from localhost (localhost [127.0.0.1]) by mxperim1.sea5.speakeasy.net (Postfix) with ESMTP id B0DA58784D; Tue, 20 May 2008 22:03:34 -0700 (PDT) X-Virus-Scanned: Debian amavisd-new at mxperim1.sea5.speakeasy.net Received: from mxperim1.sea5.speakeasy.net ([127.0.0.1]) by localhost (mxperim1.sea5.speakeasy.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YNrokw9MJfGY; Tue, 20 May 2008 22:03:34 -0700 (PDT) Received: from w16.stradamotorsports.com (dsl081-163-120.sea1.dsl.speakeasy.net [64.81.163.120]) by mxperim1.sea5.speakeasy.net (Postfix) with ESMTP; Tue, 20 May 2008 22:03:34 -0700 (PDT) Message-ID: <4833AD24.1040105@highperformance.net> Date: Tue, 20 May 2008 22:03:32 -0700 From: "Jason C. Wells" User-Agent: Thunderbird 2.0.0.4pre (X11/20080205) MIME-Version: 1.0 To: Jeremy Chadwick References: <48337A93.9090003@highperformance.net> <20080521042841.GA69249@eos.sc1.parodius.com> In-Reply-To: <20080521042841.GA69249@eos.sc1.parodius.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pf@FreeBSD.org Subject: Re: nat pass and state X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 May 2008 05:03:36 -0000 Jeremy Chadwick wrote: > I believe it's because pf(4) doesn't make assumptions about what you > want to filter. NAT is stateful (it has to be, because packets are > being re-written, and the WAN-side port numbers are going to be > different than the LAN-side), but filtering rules still apply **after** > the translation has been done. > > What's happening is that your nat rule results in pf re-writing the > packet, then the packet is immediately blocked by one of your block > rules (I'm assuming "block out"). > > The pf.conf manpage documents this, more or less: > > Since translation occurs before filtering the filter engine will see > packets as they look after any addresses and ports have been translated. > Filter rules will therefore have to filter based on the translated > address and port number. Packets that match a translation rule are only > automatically passed if the pass modifier is given, otherwise they are > still subject to block and pass rules. I guess my misunderstanding comes in where the pass modifier is concerned. I also have a weak understand of what "state" actually means. The "automatically passsed" part of your citation isn't automatically passing. I think I'll just drop the pass modifier on the NAT rule. Then it becomes precisely clear to me that I need a filter rule after the nat rule. Regards, Jason