On Wed, 25 Feb 2009 21:27:24 -0500, Jason Dixon wrote: >On Thu, Feb 26, 2009 at 01:14:43PM +1100, Rod Whitworth wrote: >> On Wed, 25 Feb 2009 17:39:31 -0800, patrick keshishian wrote: >> >> >The floating states based on line 10 would be for pre-NAT sources on >> >$int_if and wouldn't match any inbound packets on $ext_if. Unless I'm >> >misunderstanding how NAT works with pf, there are no pass out rules >> >that would create states for these packets: >> > >> >from pf.conf(5): >> > >> > Since translation occurs before filtering the filter engine will see >> > packets as they look after any addresses and ports have been >> > translated. >> > Filter rules will therefore have to filter based on the translated ad- >> > dress and port number. Packets that match a translation rule are only >> > automatically passed if the pass modifier is given, otherwise they are >> > still subject to block and pass rules. >> > ... >> > Translation rules apply only to packets that pass through the specified >> > interface, and if no interface is specified, translation is applied to >> > packets on all interfaces. >> > >> >> That's all fine but, pray tell, which rule is doing the blocking? >> The only block I can see says "09 block in log all" - no block out >> anything. > >The 'block in' will block return traffic since no state is matching for >outbound traffic (see prior emails about translation before filtering). > Oh dear! Then you mean this even simpler ruleset will not work: # cat pf.conf ext_if="sis0" int_if="sis1" nat on $ext_if from !($ext_if) -> ($ext_if:0) block in pass out pass in on $int_if
Funny........ # pfctl -sa|less TRANSLATION RULES: nat on sis0 from ! (sis0) to any -> (sis0:0) FILTER RULES: block drop in all pass out all flags S/SA keep state pass in on sis1 all flags S/SA keep state No queue in use STATES: all udp 192.168.80.199:39777 -> 192.168.80.1:53 MULTIPLE:SINGLE all udp 192.168.80.199:28240 -> 192.168.80.1:53 MULTIPLE:SINGLE all tcp 192.168.80.199:3806 -> 129.128.5.191:80 FIN_WAIT_2:FIN_WAIT_2 <snip> Now there is a difference. In case you missed it - I used "pass out" not "pass out on $ext_if" but that make no difference, in fact as I pointed out earlier there is no "block out" for anything in the ruleset so you can remove the "pass out" line entirely. Being of less than sound mind at times of stress ( it is tax submission time ;-( ), I did a reality check and tested all three configurations I described above and all work. I guess that proves my earlier statement. Nothing like a practical test is there? *** NOTE *** Please DO NOT CC me. I <am> subscribed to the list. Mail to the sender address that does not originate at the list server is tarpitted. The reply-to: address is provided for those who feel compelled to reply off list. Thankyou. Rod/ /earth: write failed, file system is full cp: /earth/creatures: No space left on device
