From owner-freebsd-questions@FreeBSD.ORG Wed Feb 9 13:04:28 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 66001106566C for ; Wed, 9 Feb 2011 13:04:28 +0000 (UTC) (envelope-from max@mxcrypt.com) Received: from mail-ew0-f54.google.com (mail-ew0-f54.google.com [209.85.215.54]) by mx1.freebsd.org (Postfix) with ESMTP id 045B38FC0A for ; Wed, 9 Feb 2011 13:04:27 +0000 (UTC) Received: by ewy24 with SMTP id 24so47836ewy.13 for ; Wed, 09 Feb 2011 05:04:27 -0800 (PST) Received: by 10.213.13.16 with SMTP id z16mr1720357ebz.45.1297255152381; Wed, 09 Feb 2011 04:39:12 -0800 (PST) MIME-Version: 1.0 Received: by 10.213.13.80 with HTTP; Wed, 9 Feb 2011 04:38:42 -0800 (PST) In-Reply-To: <4D527BAC.3080805@herveybayaustralia.com.au> References: <4D515148.3000009@herveybayaustralia.com.au> <20110208151849.GC3267@catflap.slightlystrange.org> <4D51CD05.8040003@herveybayaustralia.com.au> <20110209111646.GD3267@catflap.slightlystrange.org> <4D527BAC.3080805@herveybayaustralia.com.au> From: Maxim Khitrov Date: Wed, 9 Feb 2011 07:38:42 -0500 Message-ID: To: Da Rock Content-Type: text/plain; charset=UTF-8 Cc: freebsd-questions@freebsd.org Subject: Re: pf, binat, rdr, and one ip X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Feb 2011 13:04:28 -0000 On Wed, Feb 9, 2011 at 6:34 AM, Da Rock wrote: > On 02/09/11 21:16, Daniel Bye wrote: >> >> On Wed, Feb 09, 2011 at 09:08:53AM +1000, Da Rock wrote: >> >>> >>> On 02/09/11 01:18, Daniel Bye wrote: >>> >>>> >>>> On Wed, Feb 09, 2011 at 12:20:56AM +1000, Da Rock wrote: >>>> >>>> >>>>> >>>>> A very quick question. >>>>> >>>>> PF firewall. One static public IP. About 6 servers on the internal >>>>> network (dmz). One server binat in the pf.conf, the rest redirected. >>>>> >>>>> Possible? Or would it die in the hole? >>>>> >>>>> >>>> >>>> I guess you're concerned about performance and resource usage? If so, >>>> this >>>> may be helpful. >>>> >>>> http://www.openbsd.org/faq/pf/perf.html >>>> >>>> Dan >>>> >>>> >>> >>> Useful info to have, thanks. But no, I'm interested in if the binatting >>> will interfere with the rdr's (or vice versa). >>> >> >> Ah, I see. I don't know, is the straight answer - I've never needed to use >> both together. A bit of idle googling seems to suggest it's possible, but >> I don't have time right now to dig any deeper. >> > > Thats exactly what I got too. Nothing definitive to go on. Apparently not a > very common arrangement. It *seems* to be working, but there are some weird > quirks I can't quite account for. Hence the question to the guys who'd > know... :) According to pf.conf(5): Evaluation order of the translation rules is dependent on the type of the translation rules and of the direction of a packet. binat rules are always evaluated first. Then either the rdr rules are evaluated on an inbound packet or the nat rules on an outbound packet. Rules of the same type are evaluated in the same order in which they appear in the ruleset. The first matching rule decides what action is taken. The way I interpret this is that when an outside client tries to establish a connection to one of your servers, the rdr rules will never be evaluated, since the only public IP is translated with binat. Outgoing connections shouldn't have a problem, since binat will only match one local IP address and the others can be translated with nat rules. - Max