disabling implicit creation of state for NAT, BINAT and RDR

Max Laier max at love2party.net
Wed Oct 24 01:49:30 PDT 2007 

On Wednesday 24 October 2007, Nex Mon wrote:
> On 10/24/07, Daniel Hartmeier <daniel at benzedrine.cx> wrote:
> > On Wed, Oct 24, 2007 at 01:50:55PM +0800, Nex Mon wrote:
> > > hello, is there a way to disable implicit creation of states for
> > > NAT,
> >
> > BINAT
> >
> > > and RDR rules? the man page of pf.conf says this:
> > >
> > > Note: nat, binat and rdr rules implicitly create state for
> > > connections.
> >
> > Yes, translations require states.
> >
> > Imagine you have a connection from
> >
> >   Client      Gateway         External
> >   10.1.2.3 -> 62.65.145.30 -> 69.147.83.33
> >
> > i.e. the client 10.1.2.3 sends a TCP SYN to external server
> > 69.147.83.33. The NAT gateway replaces the source address with
> > 62.65.145.30.
> >
> > Now the external server sends a TCP SYN+ACK back to 62.65.145.30.
> > How would the gateway know that this packet is for 10.1.2.3, and
> > needs the destination address translated back to 10.1.2.3, without a
> > state entry?
> >
> > The state entry is the only part that holds this mapping information.
>
> Are you saying there is only one type of state for all the filter, RDR,
> etc rules? I have this understanding that NAT has its own translation
> table where it keeps states of NAT sessions. So in the example above,
> the only way to apply filter rules for translated (reply)packets would
> be at the internal interface?

The translations states are different from the filter states.  The former 
just record the addresses on each side to be able to do the translation, 
the later record the addresses to be able to match traffic to the state 
and consequently allow or deny it.  Unless you use the "pass" modifier on 
the translation statement, a translation state does not automatically 
allow the matched traffic to flow.  The pf.conf(5) manpage states:

  If the pass modifier is given, packets matching the translation rule are
  passed without inspecting the filter rules:

  rdr pass on $ext_if proto tcp from any to any port 80 -> 127.0.0.1 \
        port 8080

Otherwise you will have to have a pass rule for that traffic as well.

> I'm curious about OpenBSD's implementation of "no state" which can be
> applied to NAT, RDR, etc. Is there any chance this feature will be
> supported in FreeBSD?

The "no state" modifier is supported in FreeBSD (7.0 and later) for pass 
rules only.  This is the same in OpenBSD.  Translation rules allways have 
to keep state as they can otherwise not do the translation!

-- 
/"\  Best regards,                      | mlaier at freebsd.org
\ /  Max Laier                          | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | mlaier at EFnet
/ \  ASCII Ribbon Campaign              | Against HTML Mail and News
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part.
Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20071024/de0930fd/attachment.pgp

More information about the freebsd-pf mailing list