From owner-freebsd-questions@FreeBSD.ORG  Wed Mar 22 10:39:47 2006
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
X-Original-To: freebsd-questions@freebsd.org
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 14FA516A41F
	for <freebsd-questions@freebsd.org>;
	Wed, 22 Mar 2006 10:39:47 +0000 (UTC)
	(envelope-from norgaard@locolomo.org)
Received: from strange.daemonsecurity.com
	(59.Red-81-33-11.staticIP.rima-tde.net [81.33.11.59])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 9281843D45
	for <freebsd-questions@freebsd.org>;
	Wed, 22 Mar 2006 10:39:46 +0000 (GMT)
	(envelope-from norgaard@locolomo.org)
Received: from [172.24.8.84] (generic.atosorigin.es [212.170.156.200])
	by strange.daemonsecurity.com (Postfix) with ESMTP id AB9872E047;
	Wed, 22 Mar 2006 11:39:52 +0100 (CET)
Message-ID: <44212970.1070607@locolomo.org>
Date: Wed, 22 Mar 2006 11:39:44 +0100
From: Erik Norgaard <norgaard@locolomo.org>
User-Agent: Thunderbird 1.5 (X11/20060118)
MIME-Version: 1.0
To: sub02@freeode.co.uk
References: <MIEPLLIBMLEEABPDBIEGOEMOHCAA.fbsd_user@a1poweruser.com>
	<548122hg7q2toe5461jpo9t8bua72uq9oj@4ax.com>
In-Reply-To: <548122hg7q2toe5461jpo9t8bua72uq9oj@4ax.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Cc: freebsd-questions@freebsd.org
Subject: Re: ipfilter & nat redirect
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Mar 2006 10:39:47 -0000

John Murphy wrote:
> I think the filter action occurs before NAT so you would need this:
> 
> pass in log quick on dc0 proto tcp from any to <your live IP> port = 80

For ip-filter, if nat is done when the packet comes IN on an interface, 
like with rdr, then this takes place BEFORE filtering. If nat is done 
when the packet goes OUT on an interface then this takes place AFTER 
filtering.

If you use binat then you can think of it as the combination of rdr and 
nat. The reason that binat is not really rdr+nat is that rdr requires a 
specific port. But for understanding where the nat'ing takes place for 
binat, thinking rdr+nat on the same interface works.

This means that when nat is configured correctly then you can completely 
forget about it when writing the firewall rules and just think of all 
networks to be routable.

Cheers, Erik
-- 
Ph: +34.666334818                                  web: www.locolomo.org
S/MIME Certificate: www.daemonsecurity.com/ca/8D03551FFCE04F06.crt
Subject ID:  9E:AA:18:E6:94:7A:91:44:0A:E4:DD:87:73:7F:4E:82:E7:08:9C:72
Fingerprint: 5B:D5:1E:3E:47:E7:EC:1C:4C:C8:3A:19:CC:AE:14:F5:DF:18:0F:B9