Date: Mon, 1 Apr 2019 10:34:24 +0700 From: Victor Sudakov <vas@mpeks.tomsk.su> To: freebsd-net@freebsd.org Subject: need help with ipfw nat to pf nat migration Message-ID: <20190401033424.GA95019@admin.sibptus.ru>
next in thread | raw e-mail | index | archive | help
--0F1p//8PRICkK4MW Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Dear Colleagues, I'm trying to migrate some firewall rules from ipfw to pf. As pf does NAT first and filtering after NAT, I have a problem doing the following: 1. All 192.168.0.0/16 addresses should be translated to the real IP of the external interface. 2. A subset of the 192.168.0.0/16, for example 192.168.3.0/24, should have access only to a limited list of addresses in the Internet, for example 8.8.8.8 only. However, because the "nat" rule has already done its job before filtering, I cannot "block on $ext_if from 192.168.3.0/24 to any" because the source has already been translated. In ipfw I can "deny ip from 192.168.3.0/24 to not 8.8.8.8" before it even gets into the nat rule, but what do I do with pf? --=20 Victor Sudakov, VAS4-RIPE, VAS47-RIPN 2:5005/49@fidonet http://vas.tomsk.ru/ --0F1p//8PRICkK4MW Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEcBAEBAgAGBQJcoYbAAAoJEA2k8lmbXsY0ZBQH/1TKj16YOhkbVocShcg6XRtJ D9P15cZDJCASjh4ERvhHpY1CgrrpCsAEutI+FTXSJDJaORiLnuqLu+PE0HQqqTWv LZ0YWNGr+pfrm5+n8GOLGwMUtnni2q2W0JP59HFaPzhCRLmzkWFVx8FVJcBAcIpE eSn+SS9Gv1ttQfARSHaUErfYxjg++aY5JjgsxzNj5OTJ/5GuX1oDMjG6OWWVwSSl UVPcocv9U4fZlAkoyeSEJms+YsdEsVC37kVVItNag2TOiY1Yo22T+ubXS7BW4iVB x5rtbbLsjS40elBUJDkNdCjfDM2ruw0+2dPfZQWmL/FjXU5nEUq4JGg90bSk/q8= =gl4h -----END PGP SIGNATURE----- --0F1p//8PRICkK4MW--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20190401033424.GA95019>