need help with ipfw nat to pf nat migration
Victor Sudakov
vas at mpeks.tomsk.su
Mon Apr 1 03:34:27 UTC 2019
Dear Colleagues,
I'm trying to migrate some firewall rules from ipfw to pf. As pf does
NAT first and filtering after NAT, I have a problem doing the following:
1. All 192.168.0.0/16 addresses should be translated to the real IP of
the external interface.
2. A subset of the 192.168.0.0/16, for example 192.168.3.0/24,
should have access only to a limited list of addresses in the Internet,
for example 8.8.8.8 only.
However, because the "nat" rule has already done its job before
filtering, I cannot "block on $ext_if from 192.168.3.0/24 to any"
because the source has already been translated.
In ipfw I can "deny ip from 192.168.3.0/24 to not 8.8.8.8" before it
even gets into the nat rule, but what do I do with pf?
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/49 at fidonet http://vas.tomsk.ru/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-net/attachments/20190401/0165ae8c/attachment.sig>
More information about the freebsd-net
mailing list