Date: Fri, 04 Dec 2009 10:41:20 -0600 From: Greg Barniskis <nalists@scls.lib.wi.us> To: FreeBSD Questions <freebsd-questions@freebsd.org> Subject: PF binat rule issue - feature or bug? Message-ID: <4B193BB0.5000806@scls.lib.wi.us>
next in thread | raw e-mail | index | archive | help
Using 7.2-RELEASE-p4 i386 with GENERIC kernel, I've found (the hard way)
that if I have a pf.conf rule like
nat on $ext_if proto { tcp udp icmp } from $my_subnet \
to any -> some.public.ip.num
then pfctl will perform the expected expansion of the listed protocols
into three separate NAT rules.
However, if I have a rule like
binat on $ext_if proto { tcp udp icmp } from $server_dmz_ip \
to any -> $server_public_ip
then I will /only/ get one NAT rule, for TCP.
Then things like NTP, DNS and ping will fail, but the filtering rules
that permit such traffic will increment their byte, packet and state
counters like PF is working just fine (and I suppose in some sense that
the filtering part is). But only if I explicitly declare in pf.conf a
separate binat rule for each desired protocol, instead of listing them,
will things work as needed.
Feature or bug? If the former, it is not well documented that I could
see. I expected that a list of protocols for a binat rule would just
work, and pfctl certainly didn't mark it as bad syntax. If a bug, is
this a FreeBSD bug or OpenBSD?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4B193BB0.5000806>