Hi!
On 02.04.19 10:03, Victor Sudakov wrote:
Sergey Akhmatov wrote:
I'm trying to migrate some firewall rules from ipfw to pf. As pf does
NAT first and filtering after NAT, I have a problem doing the following:
1. All 192.168.0.0/16 addresses should be translated to the real IP of
the external interface.
2. A subset of the 192.168.0.0/16, for example 192.168.3.0/24,
should have access only to a limited list of addresses in the Internet,
for example 8.8.8.8 only.
However, because the "nat" rule has already done its job before
filtering, I cannot "block on $ext_if from 192.168.3.0/24 to any"
because the source has already been translated.
You can tag packets on ingress interface and then filter on egress interface
based on this tag:
pass in quick on $int_if inet proto tcp from $server to any flags S/SA keep
state allow-opts tag SERVER
block return-rst out log quick on $mob_if inet proto tcp to any port 25 tagged
SERVER
In ipfw I can "deny ip from 192.168.3.0/24 to not 8.8.8.8" before it
even gets into the nat rule, but what do I do with pf?
Try using "no nat".
table <limited_nat> {8.8.8.8, ..... }
nat pass on $ext_if from 192.168.3.0/24 to <limited_nat> -> $(ext_if)
no nat on ext_if from 192.168.3.0/24 to any
nat pass on $ext_if from 192.168.0.0/16 to any -> $(ext_if)
Thank you Sergey, I get the idea. It is not very good though that
packets from 192.168.3.0/24 to not <limited_nat> will get into the
Internet with the untranslated private src address. I guess I need to
complete the configuration by a rule something like
block out on $(ext_if) from 192.168.3.0/24 to any
Is that right?
Or probably add a rule to block all trafic from 192.168.0.0/16 out via $ext_if.
--
Regards!
_______________________________________________
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
