PF + if_bridge + NAT anomaly
Jay L. T. Cornwall
jay at jcornwall.me.uk
Fri Apr 18 00:16:41 UTC 2008
Hi,
I have a bridging FreeBSD machine configured as follows:
LAN <---> vr0 ---bridge0--- vr1 <--> WAN
With the following PF ruleset:
int_if = "vr0"
ext_if = "vr1"
bridge_if = "bridge0"
nat_from_ips = "192.168.1.0/24"
nat_to_ip = "<private>"
set skip on lo0
scrub in all
nat on $ext_if from $nat_from_ips to any -> $nat_to_ip
block in all
#block out all *commented out*
antispoof quick for { lo0 }
pass in quick on $int_if
pass out quick on $int_if
pass in quick on $bridge_if
#pass out quick on $bridge_if *commented out*
pass out quick on $ext_if
This configuration works correctly. Machines on the LAN with private IPs
are NAT'd to a public IP and others with their own public IPs are routed
correctly.
However, note that I have commented out the 'block out all' rule.
Commenting this and the later 'pass out quick on $ext_if' back in works
correctly for LAN machines with public IPs. However, doing this disables
NAT.
Even without 'block out all', the simple presence of:
pass out quick on $bridge_if
Causes NAT to stop. tcpdump on vr1 shows that packets with private IPs
are passing to the WAN (and being filtered upstream). What is causing
NAT to stop functioning by the presence of a loose rule? Does the
default 'pass all' have additional flags necessary for NAT to function
correctly?
Thanks,
--
Jay L. T. Cornwall
http://www.jcornwall.me.uk/
More information about the freebsd-pf
mailing list