PF binat rule issue - feature or bug?
George Davidovich
freebsd at optimis.net
Fri Dec 4 22:56:51 UTC 2009
On Fri, Dec 04, 2009 at 10:41:20AM -0600, Greg Barniskis wrote:
> Using 7.2-RELEASE-p4 i386 with GENERIC kernel, I've found (the hard way)
> that if I have a pf.conf rule like
>
> nat on $ext_if proto { tcp udp icmp } from $my_subnet \
> to any -> some.public.ip.num
>
> then pfctl will perform the expected expansion of the listed protocols
> into three separate NAT rules.
>
> However, if I have a rule like
>
> binat on $ext_if proto { tcp udp icmp } from $server_dmz_ip \
> to any -> $server_public_ip
>
> then I will /only/ get one NAT rule, for TCP.
>
> Then things like NTP, DNS and ping will fail, but the filtering rules
> that permit such traffic will increment their byte, packet and state
> counters like PF is working just fine (and I suppose in some sense that
> the filtering part is). But only if I explicitly declare in pf.conf a
> separate binat rule for each desired protocol, instead of listing them,
> will things work as needed.
>
> Feature or bug? If the former, it is not well documented that I could
> see. I expected that a list of protocols for a binat rule would just
> work, and pfctl certainly didn't mark it as bad syntax. If a bug, is
> this a FreeBSD bug or OpenBSD?
The BNF grammar in pfconf(5) suggests that binat rules don't take a
list. Summarised:
nat-rule = ... "proto" ( proto-name | proto-number | "{" proto-list "}" )
binat-rule = ... proto ( proto-name | proto-number )
--
George
More information about the freebsd-questions
mailing list