Date: Wed, 22 Mar 2006 11:39:44 +0100 From: Erik Norgaard <norgaard@locolomo.org> To: sub02@freeode.co.uk Cc: freebsd-questions@freebsd.org Subject: Re: ipfilter & nat redirect Message-ID: <44212970.1070607@locolomo.org> In-Reply-To: <548122hg7q2toe5461jpo9t8bua72uq9oj@4ax.com> References: <MIEPLLIBMLEEABPDBIEGOEMOHCAA.fbsd_user@a1poweruser.com> <548122hg7q2toe5461jpo9t8bua72uq9oj@4ax.com>
next in thread | previous in thread | raw e-mail | index | archive | help
John Murphy wrote: > I think the filter action occurs before NAT so you would need this: > > pass in log quick on dc0 proto tcp from any to <your live IP> port = 80 For ip-filter, if nat is done when the packet comes IN on an interface, like with rdr, then this takes place BEFORE filtering. If nat is done when the packet goes OUT on an interface then this takes place AFTER filtering. If you use binat then you can think of it as the combination of rdr and nat. The reason that binat is not really rdr+nat is that rdr requires a specific port. But for understanding where the nat'ing takes place for binat, thinking rdr+nat on the same interface works. This means that when nat is configured correctly then you can completely forget about it when writing the firewall rules and just think of all networks to be routable. Cheers, Erik -- Ph: +34.666334818 web: www.locolomo.org S/MIME Certificate: www.daemonsecurity.com/ca/8D03551FFCE04F06.crt Subject ID: 9E:AA:18:E6:94:7A:91:44:0A:E4:DD:87:73:7F:4E:82:E7:08:9C:72 Fingerprint: 5B:D5:1E:3E:47:E7:EC:1C:4C:C8:3A:19:CC:AE:14:F5:DF:18:0F:B9
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?44212970.1070607>