need help with ipfw nat to pf nat migration
Victor Sudakov
vas at mpeks.tomsk.su
Thu Apr 4 04:30:07 UTC 2019
Artem Viklenko via freebsd-net wrote:
> >>>
> >>> I'm trying to migrate some firewall rules from ipfw to pf. As pf does
> >>> NAT first and filtering after NAT, I have a problem doing the following:
> >>>
> >>> 1. All 192.168.0.0/16 addresses should be translated to the real IP of
> >>> the external interface.
> >>>
> >>> 2. A subset of the 192.168.0.0/16, for example 192.168.3.0/24,
> >>> should have access only to a limited list of addresses in the Internet,
> >>> for example 8.8.8.8 only.
> >>>
> >>> However, because the "nat" rule has already done its job before
> >>> filtering, I cannot "block on $ext_if from 192.168.3.0/24 to any"
> >>> because the source has already been translated.
>
>
> You can tag packets on ingress interface and then filter on egress interface
> based on this tag:
>
1.
> pass in quick on $int_if inet proto tcp from $server to any flags S/SA keep state allow-opts tag SERVER
2.
> block return-rst out log quick on $mob_if inet proto tcp to any port 25 tagged SERVER
You have already passed the packet with "quick" in the first rule, it
probably will never hit the second "block" rule?
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/49 at fidonet http://vas.tomsk.ru/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-net/attachments/20190404/bdf543f9/attachment.sig>
More information about the freebsd-net
mailing list