From owner-freebsd-net@freebsd.org Tue Apr 2 13:45:27 2019 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 05E9615674F6 for ; Tue, 2 Apr 2019 13:45:27 +0000 (UTC) (envelope-from artem@viklenko.net) Received: from alf.viklenko.net (alf.viklenko.net [IPv6:2001:470:71:d72::61]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.viklenko.net", Issuer "Art&Co. CA Authority" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 418518CD59 for ; Tue, 2 Apr 2019 13:45:26 +0000 (UTC) (envelope-from artem@viklenko.net) Received: from [10.0.2.15] (inet-160-34-121-80.oracle-ocna.com [160.34.121.80]) (authenticated bits=0) by alf.viklenko.net (8.15.2/8.15.2) with ESMTPSA id x32DjJI1001997 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NO) for ; Tue, 2 Apr 2019 16:45:23 +0300 (EEST) (envelope-from artem@viklenko.net) Subject: Re: need help with ipfw nat to pf nat migration To: freebsd-net@freebsd.org References: <20190401033424.GA95019@admin.sibptus.ru> <75502aa3-0e10-fbba-d56b-5716e91e7b27@akhmatov.ru> <20190402070346.GA15400@admin.sibptus.ru> From: Artem Viklenko Organization: Art&Co. Message-ID: <391e8839-00ce-0d2d-36e7-616c7d86cc30@viklenko.net> Date: Tue, 2 Apr 2019 16:45:18 +0300 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.5.0 MIME-Version: 1.0 In-Reply-To: <20190402070346.GA15400@admin.sibptus.ru> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.6.2 (alf.viklenko.net [192.168.32.61]); Tue, 02 Apr 2019 16:45:23 +0300 (EEST) X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Apr 2019 13:45:27 -0000 Hi! On 02.04.19 10:03, Victor Sudakov wrote: > Sergey Akhmatov wrote: >>> >>> I'm trying to migrate some firewall rules from ipfw to pf. As pf does >>> NAT first and filtering after NAT, I have a problem doing the following: >>> >>> 1. All 192.168.0.0/16 addresses should be translated to the real IP of >>> the external interface. >>> >>> 2. A subset of the 192.168.0.0/16, for example 192.168.3.0/24, >>> should have access only to a limited list of addresses in the Internet, >>> for example 8.8.8.8 only. >>> >>> However, because the "nat" rule has already done its job before >>> filtering, I cannot "block on $ext_if from 192.168.3.0/24 to any" >>> because the source has already been translated. You can tag packets on ingress interface and then filter on egress interface based on this tag: pass in quick on $int_if inet proto tcp from $server to any flags S/SA keep state allow-opts tag SERVER block return-rst out log quick on $mob_if inet proto tcp to any port 25 tagged SERVER >>> >>> In ipfw I can "deny ip from 192.168.3.0/24 to not 8.8.8.8" before it >>> even gets into the nat rule, but what do I do with pf? >>> > >> Try using "no nat". >> >> table {8.8.8.8, ..... } >> nat pass on $ext_if from 192.168.3.0/24 to -> $(ext_if) >> no nat on ext_if from 192.168.3.0/24 to any >> nat pass on $ext_if from 192.168.0.0/16 to any -> $(ext_if) > > Thank you Sergey, I get the idea. It is not very good though that > packets from 192.168.3.0/24 to not will get into the > Internet with the untranslated private src address. I guess I need to > complete the configuration by a rule something like > > block out on $(ext_if) from 192.168.3.0/24 to any > > Is that right? > > Or probably add a rule to block all trafic from 192.168.0.0/16 out via $ext_if. > -- Regards!