use of ! in nat broken ?

David DeSimone fox at verio.net
Wed Jan 2 20:40:17 PST 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Mike Tancsa <mike at sentex.net> wrote:
>
> It very well could be the booze 2 nights ago making me misread 
> something obvious, but should not
> 
> nat on $ext_if from {$internal204,!$server1,!$server2}  to any -> 
> $officepublicIP
> 
> be the same as
> 
> nat on $ext_if from 
> {10.0.0.1,10.0.0.4,10.0.0.5,10.0.0.6,10.0.0.7,10.0.0.8/29,10.0.0.16/28,10.0.0.32/27} 
> to any -> $officepublicIP
> 
> and the same as
> 
> nat on $ext_if from <204network>  to any -> $officepublicIP
> 
> Where
> officepublicIP=67.43.133.205
> internal204=10.0.0.0/26
> server1=10.0.0.2/32
> server2=10.0.0.3/32
> table <204network> {!$server1,!$server2,$internal204}

The mistake you're making here is the consider pf's syntax to be a
combined AND'd statement of boolean logic, which it is not.  It is
really just simple macro expansion, which does not equate to the same
thing.

As you noted, a rule such as this:

    nat on $ext_if from {$internal204,!$server1,!$server2}  \
	to any -> $officepublicIP

equates to the expanded ruleset:

    nat on $ext_if from $internal204 to any -> $officepublicIP
    nat on $ext_if from !$server1    to any -> $officepublicIP
    nat on $ext_if from !$server2    to any -> $officepublicIP

Since $server1 is on the same network as $internal204, server1's traffic
will be NAT'd because it matches rule 1.  And worse, rule 2 matches
nearly any traffic you forward, and even matches the firewall's own
traffic, because almost any source IP seen by the firewall will be
"not $server1's IP," so it matches the rule.

It sounds like what you really want is a clever collection of "no nat"
rules to prevent NAT from happening on certain addresses, followed by
"nat", such as:

    no nat on $ext_if from {$server1,$server2} to any
       nat on $ext_if from $internal204        to any -> $officepublicIP

This has the desired expansion:

    no nat on $ext_if from $server1     to any
    no nat on $ext_if from $server2     to any
       nat on $ext_if from $internal204 to any -> $officepublicIP

and hopefully does what you want.

- -- 
David DeSimone == Network Admin == fox at verio.net
"This email message is intended for the use of the person to whom
 it has been sent, and may contain information that is confidential
 or legally protected.  If you are not the intended recipient or have
 received this message in error, you are not authorized to copy, dis-
 tribute, or otherwise use this message or its attachments.  Please
 notify the sender immediately by return e-mail and permanently delete
 this message and any attachments.  Verio, Inc. makes no warranty that
 this email is error or virus free.  Thank you."  --Lawyer Bot 6000
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFHfGAGFSrKRjX5eCoRAnUrAKCM/NdenkUf0ZC2RacHbeC6c3jClQCglsqy
lHTgA/StUPdtsbZyobehGhc=
=9kR3
-----END PGP SIGNATURE-----

More information about the freebsd-pf mailing list