need help with ipfw nat to pf nat migration
Sergey Akhmatov
sergey at akhmatov.ru
Mon Apr 1 17:52:52 UTC 2019
Hello, Victor.
Try using "no nat".
table <limited_nat> {8.8.8.8, ..... }
nat pass on $ext_if from 192.168.3.0/24 to <limited_nat> -> $(ext_if)
no nat on ext_if from 192.168.3.0/24 to any
nat pass on $ext_if from 192.168.0.0/16 to any -> $(ext_if)
On 01/04/2019 06:34, Victor Sudakov wrote:
> Dear Colleagues,
>
> I'm trying to migrate some firewall rules from ipfw to pf. As pf does
> NAT first and filtering after NAT, I have a problem doing the following:
>
> 1. All 192.168.0.0/16 addresses should be translated to the real IP of
> the external interface.
>
> 2. A subset of the 192.168.0.0/16, for example 192.168.3.0/24,
> should have access only to a limited list of addresses in the Internet,
> for example 8.8.8.8 only.
>
> However, because the "nat" rule has already done its job before
> filtering, I cannot "block on $ext_if from 192.168.3.0/24 to any"
> because the source has already been translated.
>
> In ipfw I can "deny ip from 192.168.3.0/24 to not 8.8.8.8" before it
> even gets into the nat rule, but what do I do with pf?
>
More information about the freebsd-net
mailing list