nat pass and state
Jeremy Chadwick
koitsu at FreeBSD.org
Wed May 21 05:12:53 UTC 2008
On Tue, May 20, 2008 at 10:03:32PM -0700, Jason C. Wells wrote:
> Jeremy Chadwick wrote:
>
>> I believe it's because pf(4) doesn't make assumptions about what you
>> want to filter. NAT is stateful (it has to be, because packets are
>> being re-written, and the WAN-side port numbers are going to be
>> different than the LAN-side), but filtering rules still apply **after**
>> the translation has been done.
>>
>> What's happening is that your nat rule results in pf re-writing the
>> packet, then the packet is immediately blocked by one of your block
>> rules (I'm assuming "block out").
>>
>> The pf.conf manpage documents this, more or less:
>>
>> Since translation occurs before filtering the filter engine will see
>> packets as they look after any addresses and ports have been translated.
>> Filter rules will therefore have to filter based on the translated
>> address and port number. Packets that match a translation rule are only
>> automatically passed if the pass modifier is given, otherwise they are
>> still subject to block and pass rules.
>
> I guess my misunderstanding comes in where the pass modifier is concerned.
> I also have a weak understand of what "state" actually means. The
> "automatically passsed" part of your citation isn't automatically passing.
Oh! I'm sorry, I missed the "pass" word that was in your nat rule. I
don't ultimately know what that does internally to pf. There does not
appear to be any actual documentation on what the "pass" entry in a nat
rule actually does.
This sounds like it could be a bug; even the pf examples in
/usr/share/examples/pf don't use "pass" in a nat rule. I'll leave the
bug comment up to the pf experts here to analyse, though.
--
| Jeremy Chadwick jdc at parodius.com |
| Parodius Networking http://www.parodius.com/ |
| UNIX Systems Administrator Mountain View, CA, USA |
| Making life hard for others since 1977. PGP: 4BD6C0CB |
More information about the freebsd-pf
mailing list