need help with ipfw nat to pf nat migration
Victor Sudakov
vas at mpeks.tomsk.su
Tue Apr 2 07:03:49 UTC 2019
Sergey Akhmatov wrote:
> >
> > I'm trying to migrate some firewall rules from ipfw to pf. As pf does
> > NAT first and filtering after NAT, I have a problem doing the following:
> >
> > 1. All 192.168.0.0/16 addresses should be translated to the real IP of
> > the external interface.
> >
> > 2. A subset of the 192.168.0.0/16, for example 192.168.3.0/24,
> > should have access only to a limited list of addresses in the Internet,
> > for example 8.8.8.8 only.
> >
> > However, because the "nat" rule has already done its job before
> > filtering, I cannot "block on $ext_if from 192.168.3.0/24 to any"
> > because the source has already been translated.
> >
> > In ipfw I can "deny ip from 192.168.3.0/24 to not 8.8.8.8" before it
> > even gets into the nat rule, but what do I do with pf?
> >
> Try using "no nat".
>
> table <limited_nat> {8.8.8.8, ..... }
> nat pass on $ext_if from 192.168.3.0/24 to <limited_nat> -> $(ext_if)
> no nat on ext_if from 192.168.3.0/24 to any
> nat pass on $ext_if from 192.168.0.0/16 to any -> $(ext_if)
Thank you Sergey, I get the idea. It is not very good though that
packets from 192.168.3.0/24 to not <limited_nat> will get into the
Internet with the untranslated private src address. I guess I need to
complete the configuration by a rule something like
block out on $(ext_if) from 192.168.3.0/24 to any
Is that right?
Or probably add a rule to block all trafic from 192.168.0.0/16 out via $ext_if.
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/49 at fidonet http://vas.tomsk.ru/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-net/attachments/20190402/b21f7a50/attachment.sig>
More information about the freebsd-net
mailing list