iptables rule in pf

[Elliott Perrin]

On Thu, 2008-05-08 at 01:04 +0300, Oleksandr Samoylyk wrote:
> Dear Community,
> 
> I want to move some of our firewalls from Linux/iptables to FreeBSD/pf.
> 
> After reading man pf.conf for a couple of minutes I couldn't find the
> realization of such iptables rule in pf:
> 
> iptables -t nat -A PREROUTING -i ethX -d ! my.smtp.server -p tcp --dport
> 25 -j DROP
> iptables -t nat -A PREROUTING -i ethX -p tcp --dport 2525 -j DNAT
> --to-destination :25
> 
> How it can be rewriting in pf.conf?
> 
> Thanks!
> 

Its been a while since I worked with iptables but The first rule 

iptables -t nat -A PREROUTING -i ethX -d ! my.smtp.server -p tcp --dport
25 -j DROP

says all packets destined for port 25 for any address other than
my.smtp.server, jump to the builtin DROP table/chain.

The second rule 

iptables -t nat -A PREROUTING -i ethX -p tcp --dport 2525 -j DNAT
--to-destination :25

I would think builds on the first (just like in pf order of rule
processing is very important) and says anything with a destination of
port 2525, jump to the DNAT table/chain and switch the destination port
to port 25, leaving the destination IP address untouched. Essentially
you are just doing PAT there. 

Hard to know exactly what you are trying to do without network
topography. Is this on a three legged firewall for LAN to DMZ/Internet
connections or is this intended for inbound connections to your SMTP
servers? The rules in pf to serve either purpose would be different.

Also what does your DNAT table look like? That second rule causes
packets to rewrite their destination port, but what then happens in the
DNAT table?

Cheers,
~e