nat pass and state

Jeremy Chadwick koitsu at FreeBSD.org
Wed May 21 04:28:41 UTC 2008 

On Tue, May 20, 2008 at 06:27:47PM -0700, Jason C. Wells wrote:
> I have these rules (and others) in pf.conf:
>
> nat pass on $ext_if from $int_net to any -> ($ext_if)
>
> block in all
> block out all
>
> I cannot connect to websites unless I also add:
>
> pass proto { tcp, udp } from any to any port http keep state
>
> My understanding is that nat rules are inherently stateful.  I also 
> understand that a packet that matches state bypasses filter rules.  A hit 
> on a web page should generate a state on the way out and then match that 
> state on the way back in, avoiding the block rules.  By testing, I show 
> that the pass http rule is needed to complete the connection.
>
> Would someone please explain why the nat rule is not sufficient to allow me 
> to access a web page?  I must have a gross conceptual error on how PF 
> works.  This is too simple, but I just don't get it.

I believe it's because pf(4) doesn't make assumptions about what you
want to filter.  NAT is stateful (it has to be, because packets are
being re-written, and the WAN-side port numbers are going to be
different than the LAN-side), but filtering rules still apply **after**
the translation has been done.

What's happening is that your nat rule results in pf re-writing the
packet, then the packet is immediately blocked by one of your block
rules (I'm assuming "block out").

The pf.conf manpage documents this, more or less:

     Since translation occurs before filtering the filter engine will see
     packets as they look after any addresses and ports have been translated.
     Filter rules will therefore have to filter based on the translated
     address and port number.  Packets that match a translation rule are only
     automatically passed if the pass modifier is given, otherwise they are
     still subject to block and pass rules.

-- 
| Jeremy Chadwick                                jdc at parodius.com |
| Parodius Networking                       http://www.parodius.com/ |
| UNIX Systems Administrator                  Mountain View, CA, USA |
| Making life hard for others since 1977.              PGP: 4BD6C0CB |

More information about the freebsd-pf mailing list