iptables rule in pf

Fri May 9 02:16:16 UTC 2008

On Thu, 2008-05-08 at 13:35 +0200, Daniel Roethlisberger wrote:
> Elliott Perrin <elliott at c7.ca> 2008-05-08:
> > On Thu, 2008-05-08 at 11:36 +0300, Oleksandr Samoylyk wrote:
> > > CZUCZY Gergely wrote:
> > > > On Thu, 08 May 2008 11:05:45 +0300 Oleksandr Samoylyk
> > > > <oleksandr at samoylyk.sumy.ua> wrote:
> > > >> CZUCZY Gergely wrote:
> > > >>> On Thu, 08 May 2008 01:04:54 +0300 Oleksandr Samoylyk
> > > >>> <oleksandr at samoylyk.sumy.ua> wrote:
> > > >>>> Dear Community,
> > > >>>>
> > > >>>> I want to move some of our firewalls from Linux/iptables to
> > > >>>> FreeBSD/pf.
> > > >>>>
> > > >>>> After reading man pf.conf for a couple of minutes I couldn't
> > > >>>> find the realization of such iptables rule in pf:
> > > >>>>
> > > >>>> iptables -t nat -A PREROUTING -i ethX -d ! my.smtp.server -p
> > > >>>> tcp --dport 25 -j DROP
> > > >>> block in on $interface proto tcp from any to ! my.smtp.server
> > > >>> port 25
> > > >>>
> > > >>>> iptables -t nat -A PREROUTING -i ethX -p tcp --dport 2525 -j
> > > >>>> DNAT --to-destination :25
> > > >>> rdr on $interface proto tcp from any to port 2525 ->
> > > >>> <the_destionation_you_have_omitted> port 25
> > > >> I meant _any_ destination with 25 port.
> > > >>
> > > >> That iptables rule worked for any destination.
> > > > You cannot rewrite a packet's destination address to _any_
> > > > destination.
> > > > 
> > > > It's like you cannot submit a package at the post office with the
> > > > destination address "any". It's just meaningless.
> > > 
> > > However it works with iptables. :)
> > > 
> > > What can I do in my situation in order to gain the same
> > > functionality by means of pf or other additional daemons?
> > 
> > It doesn't just "work" in iptables. All you are doing is PAT with that
> > rule, rewriting destination ports. What does your DNAT table look like
> > where packets matching this rule then jump to? [...]
> 
> Your analysis of the two provided netfilter rules is wrong.  DNAT is a
> built-in pseudo-chain which does the actual destination address/port
> translation, in this case it rewrites the destination port to 25 and
> leaves the destination address untouched.
> 
> Just to clear up some of the terms used with netfilter: you don't jump
> to tables, you jump to chains.  Tables in netfilter are "nat", "filter"
> and "mangle"; like parallel worlds with their own set of chains, each
> table having a distinct purpose (packet filtering, address/port
> translations, and other packet mangling/tagging).
> 

I was not sure if DNAT was a built in or not. As far as the difference
between tables / chains, thanks for clearing that up. I have not
firewalled with ipchains/iptables for quite some time so I am not
completely up to speed on the semantics surrounding the software's
current incarnation. If having used incorrect terminology resulted in
difficulties I apologize.

However, from a processing perspective my analysis is correct in
concept. The second rule does a port address translation switching the
destination port from port 2525 to port 25 on packets that match the
rule.

My analysis of both rules was in a previous reply to the posters
original email, I have included that analysis again below. Perhaps if it
too is incorrect from a conceptual perspective you could be so kind as
to point out why? 

"iptables -t nat -A PREROUTING -i ethX -d ! my.smtp.server -p tcp
--dport
25 -j DROP

says all packets destined for port 25 for any address other than
my.smtp.server, jump to the builtin DROP table/chain.

The second rule 

iptables -t nat -A PREROUTING -i ethX -p tcp --dport 2525 -j DNAT
--to-destination :25

I would think builds on the first (just like in pf order of rule
processing is very important) and says anything with a destination of
port 2525, jump to the DNAT table/chain and switch the destination port
to port 25, leaving the destination IP address untouched. Essentially
you are just doing PAT there. 

Hard to know exactly what you are trying to do without network
topography. Is this on a three legged firewall for LAN to DMZ/Internet
connections or is this intended for inbound connections to your SMTP
servers? The rules in pf to serve either purpose would be different." 