How do IPFilter's `map' and 'rdr' translate to pf?
Jos Backus
jos at catnook.com
Sun Mar 26 02:58:28 UTC 2006
Hi,
I'm running into some trouble with IPFilter and am seizing the opportunity to
move an existing IPFilter setup on 6-stable to pf. pf seems fairly compatible
with IPFilter on the filtering side; so far the only difference I have found
is that pf doesn't support `keep frags' and a scrub rule needs to be used
instead. But the NAT definition syntax difers between the two and I haven't
been able to find a migration guide (apparently it's a TODO item). So I am
faced with converting the following entries from ipnat.rules. xl0 is int_if,
xl1 is ext_if and 1.2.3.x is an external IP address.
1. map xl1 192.168.10.0/24 -> 1.2.3.4/32 proxy port ftp ftp/tcp
In pf it looks like this needs to be done using a combination of running
ftp-proxy (which I'm assuming is the `old' ftp-proxy) and rules like these:
rdr on xl0 proto tcp from 192.168.10.0/24 to any port ftp \
-> 127.0.0.1 port 8021
# Data traffic
pass in on xl1 inet proto tcp from port ftp-data to xl1 \
user proxy flags S/SA keep state
Then there are these rules which I am not sure what to do about:
2. map xl1 192.168.10.0/24 -> 1.2.3.4/32 proxy port 500 ipsec/udp
?
3. map xl1 192.168.10.0/24 -> 1.2.3.4/32 proxy port 10000 ipsec/tcp
?
4. map xl1 192.168.10.0/24 -> 1.2.3.4/32 portmap tcp/udp 1025:65000
?
5. map xl1 192.168.10.0/24 -> 1.2.3.4/32
?
6. rdr xl1 from 192.168.2.0/24 to 1.2.3.5/32 port = 3000 -> \
192.168.1.1 port 3000
Equivalent to
rdr on xl1 from 192.168.2.0/24 to 1.2.3.5/32 port = 3000 -> \
192.168.1.1 port 3000
in pf?
7. rdr xl1 1.2.3.6/32 port 6502 -> 192.168.1.101 port 6502
Equivalent to
rdr on xl1 from 1.2.3.6/32 port 6502 to any -> 192.168.1.101 port 6502
in pf?
I'm pretty green when it comes to firewalls and NAT. Your help is appreciated!
--
Jos Backus
jos at catnook.com
More information about the freebsd-pf
mailing list