Help with pf ruleset

Erik Norgaard norgaard at
Sun Mar 9 20:30:24 UTC 2008

Erik Wilson wrote:
>     I know you have cut away a lot of rules, but maybe that just makes
>     things more confusing. Try to nest your rules in the following order:
>     direction - interface - protocol - src net - dst net - port/type
>     You should need no "out" rules if you have "in" rules with keep state.
>     At each branch level make a catchup rule at the end with default action
>     and "quick" key word to make sure packets don't spill over and get
>     matched by other rules.
> Good advice, thanks.  I'm afraid i've tried so many different options 
> and variations to get this to work that it's not as pretty as it should 
> be.  I got some of these rules from various examples posted on the web, 
> and tweaked them into unrecognizability ;)  Do you think that Josh is 
> right about needing a route-to rule for the second WAN interface?

It is absolutely possible that the problem is that the ping or response 
get sent the wrong way. Use snort to see what goes on. I did not analyze 
your setup to the point that I can tell you that.

> Since you're handing out best practices ;)  Is it better to use a nat 
> pass or rdr pass rule than seperate nat/rdr and pass statements?  Why?

I prefer to separate things. I know the less lines you have, the less 
lines can contain an error. But on the other hand, the less lines you 
have the more obscure and difficult to debug they become.

It is very common that people believe they have errors in their filter 
rules when in fact it's nat rules that are wrong.

When you have both rdr, nat and binat be careful to understand which 
order they take effect. They are first match. But since rdr is done on 
the way IN while nat is done on the way OUT, an rdr rule can take effect 
before the intended nat rule despite it being after the nat rule.

So, to avoid such confusion, write first your rdr, then nat.

Also, use the log statement in your nat rules while debugging.

Cheers, Erik

Erik Nørgaard
Ph: +34.666334818                 

More information about the freebsd-questions mailing list