Date: Thu, 4 Apr 2019 11:30:04 +0700 From: Victor Sudakov <vas@mpeks.tomsk.su> To: freebsd-net@freebsd.org Subject: Re: need help with ipfw nat to pf nat migration Message-ID: <20190404043004.GA10861@admin.sibptus.ru> In-Reply-To: <391e8839-00ce-0d2d-36e7-616c7d86cc30@viklenko.net> References: <20190401033424.GA95019@admin.sibptus.ru> <75502aa3-0e10-fbba-d56b-5716e91e7b27@akhmatov.ru> <20190402070346.GA15400@admin.sibptus.ru> <391e8839-00ce-0d2d-36e7-616c7d86cc30@viklenko.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--G4iJoqBmSsgzjUCe Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Artem Viklenko via freebsd-net wrote: > >>> > >>> I'm trying to migrate some firewall rules from ipfw to pf. As pf does > >>> NAT first and filtering after NAT, I have a problem doing the followi= ng: > >>> > >>> 1. All 192.168.0.0/16 addresses should be translated to the real IP of > >>> the external interface. > >>> > >>> 2. A subset of the 192.168.0.0/16, for example 192.168.3.0/24, > >>> should have access only to a limited list of addresses in the Interne= t, > >>> for example 8.8.8.8 only. > >>> > >>> However, because the "nat" rule has already done its job before > >>> filtering, I cannot "block on $ext_if from 192.168.3.0/24 to any" > >>> because the source has already been translated. >=20 >=20 > You can tag packets on ingress interface and then filter on egress interf= ace=20 > based on this tag: >=20 1. > pass in quick on $int_if inet proto tcp from $server to any flags S/SA ke= ep state allow-opts tag SERVER 2. > block return-rst out log quick on $mob_if inet proto tcp to any port 25 t= agged SERVER You have already passed the packet with "quick" in the first rule, it probably will never hit the second "block" rule? --=20 Victor Sudakov, VAS4-RIPE, VAS47-RIPN 2:5005/49@fidonet http://vas.tomsk.ru/ --G4iJoqBmSsgzjUCe Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEcBAEBAgAGBQJcpYhMAAoJEA2k8lmbXsY0x8QH/jTSJZrBT3A8p9TMImdq4q40 rsoUlrnw2IYJ6hXG6Y7wBLvuVieypskq3WjROVw2PhVww8c2rOHmfB/fzQV4VwHl OZrFzUZe79IJAWa2W87Mhsx2vDUKIInOg8jUNpqiuNK+gQXPL2wSjDOEpfBZP3jr e2uijkV7E3nDP8gXetuTGs1dN49bSnjoH5v6sHI+B/1iCnzurn6AKQhDOntoVa04 ZGkhL+PRXyIEFuHHvtUbhEHWBOS3jcrEDH/TO4gGJOCmMTIytvmm/9SNThrhuOaY zCpO86DkJ/7zHSfzqtjJi1lxRKLn6YnoO8OqDDBsRSqi3foaqFvhH6RtJMAXRUs= =kyef -----END PGP SIGNATURE----- --G4iJoqBmSsgzjUCe--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20190404043004.GA10861>