iptables rule in pf
Elliott Perrin
elliott at c7.ca
Thu May 8 08:59:14 UTC 2008
On Thu, 2008-05-08 at 11:36 +0300, Oleksandr Samoylyk wrote:
> CZUCZY Gergely wrote:
> > On Thu, 08 May 2008 11:05:45 +0300
> > Oleksandr Samoylyk <oleksandr at samoylyk.sumy.ua> wrote:
> >
> >> CZUCZY Gergely wrote:
> >>> On Thu, 08 May 2008 01:04:54 +0300
> >>> Oleksandr Samoylyk <oleksandr at samoylyk.sumy.ua> wrote:
> >>>
> >>>> Dear Community,
> >>>>
> >>>> I want to move some of our firewalls from Linux/iptables to FreeBSD/pf.
> >>>>
> >>>> After reading man pf.conf for a couple of minutes I couldn't find the
> >>>> realization of such iptables rule in pf:
> >>>>
> >>>> iptables -t nat -A PREROUTING -i ethX -d ! my.smtp.server -p tcp --dport
> >>>> 25 -j DROP
> >>> block in on $interface proto tcp from any to ! my.smtp.server port 25
> >>>
> >>>> iptables -t nat -A PREROUTING -i ethX -p tcp --dport 2525 -j DNAT
> >>>> --to-destination :25
> >>> rdr on $interface proto tcp from any to port 2525 ->
> >>> <the_destionation_you_have_omitted> port 25
> >> I meant _any_ destination with 25 port.
> >>
> >> That iptables rule worked for any destination.
> > You cannot rewrite a packet's destination address to _any_ destination.
> >
> > It's like you cannot submit a package at the post office with the destination
> > address "any". It's just meaningless.
> >
>
> However it works with iptables. :)
>
> What can I do in my situation in order to gain the same functionality by
> means of pf or other additional daemons?
>
It doesn't just "work" in iptables. All you are doing is PAT with that
rule, rewriting destination ports. What does your DNAT table look like
where packets matching this rule then jump to?
That iptables rule may have worked for any destination, but it merely
jumps (-j) to another table where address rewriting is pretty much a
guarantee since by definition DNAT is Destination Network Address
Translation. That rule does PAT and nothing more.
If those 2 rules alone form the base logic of your firewall structure I
would really love to know the address of that machine :-)
Cheers
~e
More information about the freebsd-pf
mailing list