Date: Tue, 20 May 2008 22:12:52 -0700 From: Jeremy Chadwick <koitsu@FreeBSD.org> To: "Jason C. Wells" <jcw@highperformance.net> Cc: freebsd-pf@FreeBSD.org Subject: Re: nat pass and state Message-ID: <20080521051252.GA70840@eos.sc1.parodius.com> In-Reply-To: <4833AD24.1040105@highperformance.net> References: <48337A93.9090003@highperformance.net> <20080521042841.GA69249@eos.sc1.parodius.com> <4833AD24.1040105@highperformance.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, May 20, 2008 at 10:03:32PM -0700, Jason C. Wells wrote: > Jeremy Chadwick wrote: > >> I believe it's because pf(4) doesn't make assumptions about what you >> want to filter. NAT is stateful (it has to be, because packets are >> being re-written, and the WAN-side port numbers are going to be >> different than the LAN-side), but filtering rules still apply **after** >> the translation has been done. >> >> What's happening is that your nat rule results in pf re-writing the >> packet, then the packet is immediately blocked by one of your block >> rules (I'm assuming "block out"). >> >> The pf.conf manpage documents this, more or less: >> >> Since translation occurs before filtering the filter engine will see >> packets as they look after any addresses and ports have been translated. >> Filter rules will therefore have to filter based on the translated >> address and port number. Packets that match a translation rule are only >> automatically passed if the pass modifier is given, otherwise they are >> still subject to block and pass rules. > > I guess my misunderstanding comes in where the pass modifier is concerned. > I also have a weak understand of what "state" actually means. The > "automatically passsed" part of your citation isn't automatically passing. Oh! I'm sorry, I missed the "pass" word that was in your nat rule. I don't ultimately know what that does internally to pf. There does not appear to be any actual documentation on what the "pass" entry in a nat rule actually does. This sounds like it could be a bug; even the pf examples in /usr/share/examples/pf don't use "pass" in a nat rule. I'll leave the bug comment up to the pf experts here to analyse, though. -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB |
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080521051252.GA70840>