Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 10 Feb 2011 10:40:04 +1000
From:      Da Rock <>
To:        Maxim Khitrov <>
Subject:   Re: pf, binat, rdr, and one ip
Message-ID:  <>
In-Reply-To: <>
References:  <> <> <> <> <> <>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On 02/09/11 22:38, Maxim Khitrov wrote:
> On Wed, Feb 9, 2011 at 6:34 AM, Da Rock
> <>  wrote:
>> On 02/09/11 21:16, Daniel Bye wrote:
>>> On Wed, Feb 09, 2011 at 09:08:53AM +1000, Da Rock wrote:
>>>> On 02/09/11 01:18, Daniel Bye wrote:
>>>>> On Wed, Feb 09, 2011 at 12:20:56AM +1000, Da Rock wrote:
>>>>>> A very quick question.
>>>>>> PF firewall. One static public IP. About 6 servers on the internal
>>>>>> network (dmz). One server binat in the pf.conf, the rest redirected.
>>>>>> Possible? Or would it die in the hole?
>>>>> I guess you're concerned about performance and resource usage? If so,
>>>>> this
>>>>> may be helpful.
>>>>> Dan
>>>> Useful info to have, thanks. But no, I'm interested in if the binatting
>>>> will interfere with the rdr's (or vice versa).
>>> Ah, I see. I don't know, is the straight answer - I've never needed to use
>>> both together. A bit of idle googling seems to suggest it's possible, but
>>> I don't have time right now to dig any deeper.
>> Thats exactly what I got too. Nothing definitive to go on. Apparently not a
>> very common arrangement. It *seems* to be working, but there are some weird
>> quirks I can't quite account for. Hence the question to the guys who'd
>> know... :)
> According to pf.conf(5):
>       Evaluation order of the translation rules is dependent on the type of the
>       translation rules and of the direction of a packet.  binat rules are
>       always evaluated first.  Then either the rdr rules are evaluated on an
>       inbound packet or the nat rules on an outbound packet.  Rules of the same
>       type are evaluated in the same order in which they appear in the ruleset.
>       The first matching rule decides what action is taken.
> The way I interpret this is that when an outside client tries to
> establish a connection to one of your servers, the rdr rules will
> never be evaluated, since the only public IP is translated with binat.
> Outgoing connections shouldn't have a problem, since binat will only
> match one local IP address and the others can be translated with nat
> rules.
Allow me to prefix my comments with the fact that that is not what 
appears to be happening.

I read that as well, but my reading between the lines was that it is the 
_rules_ that are evaluated. So if I have a block all policy and then 
open up what I need, then only the _ports_ specified for that binat 
machine are passed- the rest continue for further evaluation: the rdr 
rules are then assessed and the packets are passed accordingly.

What I see works mostly; I have a binat machine for voip (asterisk), and 
the rest of the jumble gets passed to the rdr's or get blocked. However, 
where I come unstuck (and this is why I recreated my firewall rules) is 
I still can't get outgoing calls to my voip provider. It still eludes 
me... So I'm not sure if I'm 100% right or not.

Hence my dilemma... I did get outgoing calls to work somewhere when my 
firewall rules were still not quite working, but I couldn't ring in! I 
have used an ata and tried to figure out what I'm missing, but I still 
haven't got it figured yet.

But I digress. At the time when I started this thread I was having some 
odd issues with my rdr servers, but now they appear to be working as 
they should (after some blood sweat and tears), fingers crossed. So what 
I will do now is finish this problem and get the voip working (which may 
or may not be a firewall problem), and then see whether it all works as 
beautifully as it should; then I will report back on this thread and let 
people know the outcome.

Want to link to this message? Use this URL: <>