nat pass and state
Jason C. Wells
jcw at highperformance.net
Wed May 21 05:03:36 UTC 2008
Jeremy Chadwick wrote:
> I believe it's because pf(4) doesn't make assumptions about what you
> want to filter. NAT is stateful (it has to be, because packets are
> being re-written, and the WAN-side port numbers are going to be
> different than the LAN-side), but filtering rules still apply **after**
> the translation has been done.
>
> What's happening is that your nat rule results in pf re-writing the
> packet, then the packet is immediately blocked by one of your block
> rules (I'm assuming "block out").
>
> The pf.conf manpage documents this, more or less:
>
> Since translation occurs before filtering the filter engine will see
> packets as they look after any addresses and ports have been translated.
> Filter rules will therefore have to filter based on the translated
> address and port number. Packets that match a translation rule are only
> automatically passed if the pass modifier is given, otherwise they are
> still subject to block and pass rules.
I guess my misunderstanding comes in where the pass modifier is
concerned. I also have a weak understand of what "state" actually means.
The "automatically passsed" part of your citation isn't
automatically passing.
I think I'll just drop the pass modifier on the NAT rule. Then it
becomes precisely clear to me that I need a filter rule after the nat rule.
Regards,
Jason
More information about the freebsd-pf
mailing list