NAT Loopback

Max Laier max at love2party.net
Wed Nov 3 10:22:09 PST 2004


[ Sorry for the delay, EuroBSDCon has been demanding - and a lot of FUN! ]

Hi Cédric,

On Tuesday 02 November 2004 14:53, Cédric Jonas wrote:
>   Since 5 days, I try to install PF on my Server, to replace my old
>   hardware router... Until now, everything was ok, better als the old
>   router - BUT, what I miss is the NAT Loopback functionnality (so
>   that IP packets which comes from the LAN and are destined to my WAN
>   IP, leaves effectively the WAN interface and come back through the
>   WAN interface => the packet is subjected to the filter rulesets for
>   incoming packets on my WAN interface = NAT Loopback)
>   I found this in the OpenBSD PF FAQ:
>   http://www.openbsd.org/faq/pf/rdr.html#rdrnat, but it isn't what I
>   search, because the packets don't leave and reentry the WAN
>   interface.

You can try to add a rule in the form of:
  pass in on $internal_if route-to ($external_if $external_ip) \
      from any to $external_ip

This will loopback all traffic hitting the internal interface destinated to 
the external IP via the external interface. Be aware of the overhead of this 
approach. Depending on your setup it might be easier to replicate the desired 
restrictions for the internal interface.

>   I hope that one will be able to help me here (and that I described
>   it understandably), it's my last
>   possibility I think.

It's always helpful to post your ruleset, so that we can tell you where to put 
new rules or to explain which rules do cause the problem you are seeing. 
Don't be too afraid to post your rulesets - fortunately *BSD and the default 
services it provides are a whole lot more secure than seen elsewhere ;)

>   Sorry for my bad englisch, but I do what I can ;-)

Oh c'mon - I've seen worse and that includes me sometime.

-- 
/"\  Best regards,                      | mlaier at freebsd.org
\ /  Max Laier                          | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | mlaier at EFnet
/ \  ASCII Ribbon Campaign              | Against HTML Mail and News
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20041103/4949f744/attachment.bin


More information about the freebsd-pf mailing list