Nat interfering with filtering rules

Jon Simola jon at abccomm.com
Wed Apr 12 05:25:13 UTC 2006 

On 4/11/06, Chris Telting <cdtelting-ml at comcast.net> wrote:

> pf newbie here.  I've been playing with rules for a day and I can't seem
> to wrap my head around
> what I'm suppose to do.  First off I believe in "block all" and want an
> explicit opt in system.  Nat
> is kind of getting in the way.

Have you read through the well commented example in the PF users guide
at http://www.openbsd.org/faq/pf/example1.html ?

>
> pf.conf
> -------------
> int_if="em0"
> ext_if="rl0"
> int_net="192.168.2.0/24"
>
> # Nat supposedly wants to be at he top of the list
> nat on $ext_if from $int_if:network to any -> ($ext_if)
>
> # Block everything, all rules are eqplicitly opt in
> block log all
> # Allow all local trafic on local network
> pass in on $int_if from $int_if:network to any
> pass out on $int_if from $int_if:network to any
> # Pass out to internet all local network trafic and keep state to allow
> connect
> pass out on $ext_if from $int_if:network to any keep state
> #pass from any to any
>
> This doesn't work because the packet IP address has already tanslated
> before the filter
> could get to it on $ext_if.  If I change the rule to "from $ext_if" I
> can't distinguish between
> packets origionating on the local network verses the gateway/server.

You *could* do that by tagging in the NAT rule if you needed to.
Personally, I haven't run into any situation where I needed to do
that.

> And if I do so anyway
> even if I specify "keep state" the returning packets don't get through
> from their external IP
> addresses.

You haven't allowed traffic out of the internal interface (pass out on
$int_of from any to $int_if:network).

> Only if I declare explicit pass in rules from specific ip
> addreses will I get return
> trafic.  Is there anyway to do with without using a blanket "from any to
> any"?  My first line of
> defence is identifiing the trafic source.  Can I possiably change the
> priority of Nat so that it is
> the last action processed?

No, in PF the translation rules are always processed first.

> Of course after I get it working I'll add port spefic rules.  I'll
> appreciate any help offered.

The man page for pf.conf can be a pretty intimidating read, I've got a
couple network guys that have been going over it for a couple months
and are still figuring out the more intricate options. The sample
pf.conf is fairly decent, but the OpenBSD PF user's guide at
http://www.openbsd.org/faq/pf/index.html is a good read and will go a
long way towards understanding how it works.

--
Jon Simola
Systems Administrator
ABC Communications

More information about the freebsd-pf mailing list