Date: Wed, 9 Feb 2011 07:38:42 -0500 From: Maxim Khitrov <max@mxcrypt.com> To: Da Rock <freebsd-questions@herveybayaustralia.com.au> Cc: freebsd-questions@freebsd.org Subject: Re: pf, binat, rdr, and one ip Message-ID: <AANLkTinPzyx%2BfwzOJpwn634jScsQ7SbRada4A9=5oVNs@mail.gmail.com> In-Reply-To: <4D527BAC.3080805@herveybayaustralia.com.au> References: <4D515148.3000009@herveybayaustralia.com.au> <20110208151849.GC3267@catflap.slightlystrange.org> <4D51CD05.8040003@herveybayaustralia.com.au> <20110209111646.GD3267@catflap.slightlystrange.org> <4D527BAC.3080805@herveybayaustralia.com.au>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Feb 9, 2011 at 6:34 AM, Da Rock <freebsd-questions@herveybayaustralia.com.au> wrote: > On 02/09/11 21:16, Daniel Bye wrote: >> >> On Wed, Feb 09, 2011 at 09:08:53AM +1000, Da Rock wrote: >> >>> >>> On 02/09/11 01:18, Daniel Bye wrote: >>> >>>> >>>> On Wed, Feb 09, 2011 at 12:20:56AM +1000, Da Rock wrote: >>>> >>>> >>>>> >>>>> A very quick question. >>>>> >>>>> PF firewall. One static public IP. About 6 servers on the internal >>>>> network (dmz). One server binat in the pf.conf, the rest redirected. >>>>> >>>>> Possible? Or would it die in the hole? >>>>> >>>>> >>>> >>>> I guess you're concerned about performance and resource usage? If so, >>>> this >>>> may be helpful. >>>> >>>> http://www.openbsd.org/faq/pf/perf.html >>>> >>>> Dan >>>> >>>> >>> >>> Useful info to have, thanks. But no, I'm interested in if the binatting >>> will interfere with the rdr's (or vice versa). >>> >> >> Ah, I see. I don't know, is the straight answer - I've never needed to use >> both together. A bit of idle googling seems to suggest it's possible, but >> I don't have time right now to dig any deeper. >> > > Thats exactly what I got too. Nothing definitive to go on. Apparently not a > very common arrangement. It *seems* to be working, but there are some weird > quirks I can't quite account for. Hence the question to the guys who'd > know... :) According to pf.conf(5): Evaluation order of the translation rules is dependent on the type of the translation rules and of the direction of a packet. binat rules are always evaluated first. Then either the rdr rules are evaluated on an inbound packet or the nat rules on an outbound packet. Rules of the same type are evaluated in the same order in which they appear in the ruleset. The first matching rule decides what action is taken. The way I interpret this is that when an outside client tries to establish a connection to one of your servers, the rdr rules will never be evaluated, since the only public IP is translated with binat. Outgoing connections shouldn't have a problem, since binat will only match one local IP address and the others can be translated with nat rules. - Max
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AANLkTinPzyx%2BfwzOJpwn634jScsQ7SbRada4A9=5oVNs>