On Thu, 2008-05-08 at 01:04 +0300, Oleksandr Samoylyk wrote: > Dear Community, > > I want to move some of our firewalls from Linux/iptables to FreeBSD/pf. > > After reading man pf.conf for a couple of minutes I couldn't find the > realization of such iptables rule in pf: > > iptables -t nat -A PREROUTING -i ethX -d ! my.smtp.server -p tcp --dport > 25 -j DROP > iptables -t nat -A PREROUTING -i ethX -p tcp --dport 2525 -j DNAT > --to-destination :25 > > How it can be rewriting in pf.conf? > > Thanks! >
Its been a while since I worked with iptables but The first rule iptables -t nat -A PREROUTING -i ethX -d ! my.smtp.server -p tcp --dport 25 -j DROP says all packets destined for port 25 for any address other than my.smtp.server, jump to the builtin DROP table/chain. The second rule iptables -t nat -A PREROUTING -i ethX -p tcp --dport 2525 -j DNAT --to-destination :25 I would think builds on the first (just like in pf order of rule processing is very important) and says anything with a destination of port 2525, jump to the DNAT table/chain and switch the destination port to port 25, leaving the destination IP address untouched. Essentially you are just doing PAT there. Hard to know exactly what you are trying to do without network topography. Is this on a three legged firewall for LAN to DMZ/Internet connections or is this intended for inbound connections to your SMTP servers? The rules in pf to serve either purpose would be different. Also what does your DNAT table look like? That second rule causes packets to rewrite their destination port, but what then happens in the DNAT table? Cheers, ~e _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "[EMAIL PROTECTED]"
