ipfilter & nat redirect
Erik Norgaard
norgaard at locolomo.org
Wed Mar 22 10:39:47 UTC 2006
John Murphy wrote:
> I think the filter action occurs before NAT so you would need this:
>
> pass in log quick on dc0 proto tcp from any to <your live IP> port = 80
For ip-filter, if nat is done when the packet comes IN on an interface,
like with rdr, then this takes place BEFORE filtering. If nat is done
when the packet goes OUT on an interface then this takes place AFTER
filtering.
If you use binat then you can think of it as the combination of rdr and
nat. The reason that binat is not really rdr+nat is that rdr requires a
specific port. But for understanding where the nat'ing takes place for
binat, thinking rdr+nat on the same interface works.
This means that when nat is configured correctly then you can completely
forget about it when writing the firewall rules and just think of all
networks to be routable.
Cheers, Erik
--
Ph: +34.666334818 web: www.locolomo.org
S/MIME Certificate: www.daemonsecurity.com/ca/8D03551FFCE04F06.crt
Subject ID: 9E:AA:18:E6:94:7A:91:44:0A:E4:DD:87:73:7F:4E:82:E7:08:9C:72
Fingerprint: 5B:D5:1E:3E:47:E7:EC:1C:4C:C8:3A:19:CC:AE:14:F5:DF:18:0F:B9
More information about the freebsd-questions
mailing list