Date: Tue, 2 Apr 2019 16:45:18 +0300 From: Artem Viklenko <artem@viklenko.net> To: freebsd-net@freebsd.org Subject: Re: need help with ipfw nat to pf nat migration Message-ID: <391e8839-00ce-0d2d-36e7-616c7d86cc30@viklenko.net> In-Reply-To: <20190402070346.GA15400@admin.sibptus.ru> References: <20190401033424.GA95019@admin.sibptus.ru> <75502aa3-0e10-fbba-d56b-5716e91e7b27@akhmatov.ru> <20190402070346.GA15400@admin.sibptus.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi! On 02.04.19 10:03, Victor Sudakov wrote: > Sergey Akhmatov wrote: >>> >>> I'm trying to migrate some firewall rules from ipfw to pf. As pf does >>> NAT first and filtering after NAT, I have a problem doing the following: >>> >>> 1. All 192.168.0.0/16 addresses should be translated to the real IP of >>> the external interface. >>> >>> 2. A subset of the 192.168.0.0/16, for example 192.168.3.0/24, >>> should have access only to a limited list of addresses in the Internet, >>> for example 8.8.8.8 only. >>> >>> However, because the "nat" rule has already done its job before >>> filtering, I cannot "block on $ext_if from 192.168.3.0/24 to any" >>> because the source has already been translated. You can tag packets on ingress interface and then filter on egress interface based on this tag: pass in quick on $int_if inet proto tcp from $server to any flags S/SA keep state allow-opts tag SERVER block return-rst out log quick on $mob_if inet proto tcp to any port 25 tagged SERVER >>> >>> In ipfw I can "deny ip from 192.168.3.0/24 to not 8.8.8.8" before it >>> even gets into the nat rule, but what do I do with pf? >>> > >> Try using "no nat". >> >> table <limited_nat> {8.8.8.8, ..... } >> nat pass on $ext_if from 192.168.3.0/24 to <limited_nat> -> $(ext_if) >> no nat on ext_if from 192.168.3.0/24 to any >> nat pass on $ext_if from 192.168.0.0/16 to any -> $(ext_if) > > Thank you Sergey, I get the idea. It is not very good though that > packets from 192.168.3.0/24 to not <limited_nat> will get into the > Internet with the untranslated private src address. I guess I need to > complete the configuration by a rule something like > > block out on $(ext_if) from 192.168.3.0/24 to any > > Is that right? > > Or probably add a rule to block all trafic from 192.168.0.0/16 out via $ext_if. > -- Regards!
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?391e8839-00ce-0d2d-36e7-616c7d86cc30>