use of ! in nat broken ?

Mike Tancsa mike at sentex.net
Wed Jan 2 13:26:10 PST 2008 

It very well could be the booze 2 nights ago making me misread 
something obvious, but should not

nat on $ext_if from {$internal204,!$server1,!$server2}  to any -> 
$officepublicIP

be the same as

nat on $ext_if from 
{10.0.0.1,10.0.0.4,10.0.0.5,10.0.0.6,10.0.0.7,10.0.0.8/29,10.0.0.16/28,10.0.0.32/27} 
to any -> $officepublicIP

and the same as

nat on $ext_if from <204network>  to any -> $officepublicIP

Where
officepublicIP=67.43.133.205
internal204=10.0.0.0/26
server1=10.0.0.2/32
server2=10.0.0.3/32
table <204network> {!$server1,!$server2,$internal204}


If I use the first nat statement, traffic from my DMZ (199.212.134.7) 
gets natted as $officepublicIP.  If I use the second (explicit list) 
or third (define the list in a table) all works as expected and 
199.212.134.7 does not get caught up in the nat statement.


# pfctl -sn
nat on tun0 inet from 192.168.10.0/24 to any -> (tun0:0)
nat on tun0 inet from 10.0.0.0/26 to any -> 67.43.133.205
nat on tun0 inet from ! 10.0.0.2 to any -> 67.43.133.205
nat on tun0 inet from ! 10.0.0.3 to any -> 67.43.133.205
nat on tun0 inet from 192.168.1.0/24 to any -> 67.43.133.204
binat on tun0 inet from 10.0.0.2 to any -> 67.43.133.206
binat on tun0 inet from 10.0.0.3 to any -> 67.43.133.207

vs

# pfctl -sn
nat on tun0 inet from 192.168.10.0/24 to any -> (tun0:0)
nat on tun0 inet from 10.0.0.1 to any -> 67.43.133.205
nat on tun0 inet from 10.0.0.4 to any -> 67.43.133.205
nat on tun0 inet from 10.0.0.5 to any -> 67.43.133.205
nat on tun0 inet from 10.0.0.6 to any -> 67.43.133.205
nat on tun0 inet from 10.0.0.7 to any -> 67.43.133.205
nat on tun0 inet from 10.0.0.8/29 to any -> 67.43.133.205
nat on tun0 inet from 10.0.0.16/28 to any -> 67.43.133.205
nat on tun0 inet from 10.0.0.32/27 to any -> 67.43.133.205
nat on tun0 inet from 192.168.1.0/24 to any -> 67.43.133.204
binat on tun0 inet from 10.0.0.2 to any -> 67.43.133.206
binat on tun0 inet from 10.0.0.3 to any -> 67.43.133.207

vs

# pfctl -sn
nat on tun0 inet from 192.168.10.0/24 to any -> (tun0:0)
nat on tun0 inet from <204network> to any -> 67.43.133.205
nat on tun0 inet from 192.168.1.0/24 to any -> 67.43.133.204
binat on tun0 inet from 10.0.0.2 to any -> 67.43.133.206
binat on tun0 inet from 10.0.0.3 to any -> 67.43.133.207


Kernel is 6.3-PRERELEASE FreeBSD 6.3-PRERELEASE #0: Fri Dec 14 
15:02:59 EST 2007

I dont see anything new in the pf tree since then.

         ---Mike




--------------------------------------------------------------------
Mike Tancsa,                                      tel +1 519 651 3400
Sentex Communications,                            mike at sentex.net
Providing Internet since 1994                    www.sentex.net
Cambridge, Ontario Canada                         www.sentex.net/mike

More information about the freebsd-pf mailing list