Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 2 Apr 2019 16:45:18 +0300
From:      Artem Viklenko <artem@viklenko.net>
To:        freebsd-net@freebsd.org
Subject:   Re: need help with ipfw nat to pf nat migration
Message-ID:  <391e8839-00ce-0d2d-36e7-616c7d86cc30@viklenko.net>
In-Reply-To: <20190402070346.GA15400@admin.sibptus.ru>
References:  <20190401033424.GA95019@admin.sibptus.ru> <75502aa3-0e10-fbba-d56b-5716e91e7b27@akhmatov.ru> <20190402070346.GA15400@admin.sibptus.ru>

next in thread | previous in thread | raw e-mail | index | archive | help
Hi!

On 02.04.19 10:03, Victor Sudakov wrote:
> Sergey Akhmatov wrote:
>>>
>>> I'm trying to migrate some firewall rules from ipfw to pf. As pf does
>>> NAT first and filtering after NAT, I have a problem doing the following:
>>>
>>> 1. All 192.168.0.0/16 addresses should be translated to the real IP of
>>> the external interface.
>>>
>>> 2. A subset of the 192.168.0.0/16, for example 192.168.3.0/24,
>>> should have access only to a limited list of addresses in the Internet,
>>> for example 8.8.8.8 only.
>>>
>>> However, because the "nat" rule has already done its job before
>>> filtering, I cannot "block on $ext_if from 192.168.3.0/24 to any"
>>> because the source has already been translated.


You can tag packets on ingress interface and then filter on egress interface 
based on this tag:

pass in quick on $int_if inet proto tcp from $server to any flags S/SA keep 
state allow-opts tag SERVER
block return-rst out log quick on $mob_if inet proto tcp to any port 25 tagged 
SERVER


>>>
>>> In ipfw I can "deny ip from 192.168.3.0/24 to not 8.8.8.8" before it
>>> even gets into the nat rule,  but what do I do with pf?
>>>
> 
>> Try using "no nat".
>>
>> table <limited_nat> {8.8.8.8, ..... }
>> nat pass on $ext_if from 192.168.3.0/24 to <limited_nat> -> $(ext_if)
>> no nat on ext_if from 192.168.3.0/24 to any
>> nat pass on $ext_if from 192.168.0.0/16 to any -> $(ext_if)
> 
> Thank you Sergey, I get the idea. It is not very good though that
> packets from 192.168.3.0/24 to not <limited_nat> will get into the
> Internet with the untranslated private src address. I guess I need to
> complete the configuration by a rule something like
> 
> block out on $(ext_if) from 192.168.3.0/24 to any
> 
> Is that right?
> 
> Or probably add a rule to block all trafic from 192.168.0.0/16 out via $ext_if.
> 

-- 
Regards!



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?391e8839-00ce-0d2d-36e7-616c7d86cc30>