Date: Tue, 2 Apr 2019 14:03:46 +0700 From: Victor Sudakov <vas@mpeks.tomsk.su> To: freebsd-net@freebsd.org Subject: Re: need help with ipfw nat to pf nat migration Message-ID: <20190402070346.GA15400@admin.sibptus.ru> In-Reply-To: <75502aa3-0e10-fbba-d56b-5716e91e7b27@akhmatov.ru> References: <20190401033424.GA95019@admin.sibptus.ru> <75502aa3-0e10-fbba-d56b-5716e91e7b27@akhmatov.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
--+QahgC5+KEYLbs62
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Sergey Akhmatov wrote:
> >=20
> > I'm trying to migrate some firewall rules from ipfw to pf. As pf does
> > NAT first and filtering after NAT, I have a problem doing the following:
> >=20
> > 1. All 192.168.0.0/16 addresses should be translated to the real IP of
> > the external interface.
> >=20
> > 2. A subset of the 192.168.0.0/16, for example 192.168.3.0/24,
> > should have access only to a limited list of addresses in the Internet,
> > for example 8.8.8.8 only.
> >=20
> > However, because the "nat" rule has already done its job before
> > filtering, I cannot "block on $ext_if from 192.168.3.0/24 to any"
> > because the source has already been translated.
> >=20
> > In ipfw I can "deny ip from 192.168.3.0/24 to not 8.8.8.8" before it
> > even gets into the nat rule, but what do I do with pf?
> >=20
> Try using "no nat".
>=20
> table <limited_nat> {8.8.8.8, ..... }
> nat pass on $ext_if from 192.168.3.0/24 to <limited_nat> -> $(ext_if)
> no nat on ext_if from 192.168.3.0/24 to any
> nat pass on $ext_if from 192.168.0.0/16 to any -> $(ext_if)
Thank you Sergey, I get the idea. It is not very good though that
packets from 192.168.3.0/24 to not <limited_nat> will get into the
Internet with the untranslated private src address. I guess I need to
complete the configuration by a rule something like
block out on $(ext_if) from 192.168.3.0/24 to any
Is that right?
Or probably add a rule to block all trafic from 192.168.0.0/16 out via $ext=
_if.
--=20
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/49@fidonet http://vas.tomsk.ru/
--+QahgC5+KEYLbs62
Content-Type: application/pgp-signature; name="signature.asc"
-----BEGIN PGP SIGNATURE-----
iQEcBAEBAgAGBQJcowlSAAoJEA2k8lmbXsY0a1QH/3ot3lM2cpKTnucgdMwXWRAX
ccG4BNiUJ0DjHhWPeYnCXK2i2PBqluss2VOREykMvO30jcPZZoMLNGabV39U1h6V
kpgfIGnW8XDRW6iQFmvqrbN0cYMKwxAkKXk4K7jlzEIKJEakHUXmbzRpiTH5088C
K5NgOqLc4PG5yjVvvhK4UNnpg0CCaDnPttbg53U+Zl54mKLBbi0aFZc3AK4CyDXD
kwQy229XsdKlKZ9R5gpDqGTAZ+/oEZb61Y/PzjJi8WAcudm+BNOYuC37VyEFPe2f
pGJ/wjLodn0WXDZfhUQ+/81wH7sVHljC5MvbJJe7GSoowCwcX3gWi2Rzyhru0rM=
=+QY2
-----END PGP SIGNATURE-----
--+QahgC5+KEYLbs62--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20190402070346.GA15400>