From owner-freebsd-net@freebsd.org Mon Apr 1 17:52:52 2019 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5E2CA156ABAC for ; Mon, 1 Apr 2019 17:52:52 +0000 (UTC) (envelope-from sergey@akhmatov.ru) Received: from dutch.chaklun.ru (dutch.chaklun.ru [IPv6:2a01:7c8:aab0:135::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id E422181DE0 for ; Mon, 1 Apr 2019 17:52:51 +0000 (UTC) (envelope-from sergey@akhmatov.ru) Received: from mx.ddosprevention.ru ([212.65.69.58] helo=[127.0.0.1]) by dutch.chaklun.ru with esmtpsa (TLSv1.3:TLS_AES_128_GCM_SHA256:128) (Exim 4.92 (FreeBSD)) (envelope-from ) id 1hB172-000KXu-2F; Mon, 01 Apr 2019 20:52:48 +0300 Subject: Re: need help with ipfw nat to pf nat migration To: Victor Sudakov , freebsd-net@freebsd.org References: <20190401033424.GA95019@admin.sibptus.ru> From: Sergey Akhmatov Message-ID: <75502aa3-0e10-fbba-d56b-5716e91e7b27@akhmatov.ru> Date: Mon, 1 Apr 2019 20:52:47 +0300 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:60.0) Gecko/20100101 Thunderbird/60.6.0 MIME-Version: 1.0 In-Reply-To: <20190401033424.GA95019@admin.sibptus.ru> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: E422181DE0 X-Spamd-Bar: ------ Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-6.98 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; NEURAL_HAM_SHORT(-0.98)[-0.979,0]; REPLY(-4.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0] X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Apr 2019 17:52:52 -0000 Hello, Victor. Try using "no nat". table {8.8.8.8, ..... } nat pass on $ext_if from 192.168.3.0/24 to -> $(ext_if) no nat on ext_if from 192.168.3.0/24 to any nat pass on $ext_if from 192.168.0.0/16 to any -> $(ext_if) On 01/04/2019 06:34, Victor Sudakov wrote: > Dear Colleagues, > > I'm trying to migrate some firewall rules from ipfw to pf. As pf does > NAT first and filtering after NAT, I have a problem doing the following: > > 1. All 192.168.0.0/16 addresses should be translated to the real IP of > the external interface. > > 2. A subset of the 192.168.0.0/16, for example 192.168.3.0/24, > should have access only to a limited list of addresses in the Internet, > for example 8.8.8.8 only. > > However, because the "nat" rule has already done its job before > filtering, I cannot "block on $ext_if from 192.168.3.0/24 to any" > because the source has already been translated. > > In ipfw I can "deny ip from 192.168.3.0/24 to not 8.8.8.8" before it > even gets into the nat rule, but what do I do with pf? >