Peter Clark wrote:
I have looked through various info including when NAT happens in the
rules processing and I am still confused. I though that I could write a
pass out rule on my external interface that would cover all packets from
my internal range but I end up writing a rule that passes out on my
external interface with a source address of the internal range on my
firewall. Maybe this is the correct way of doing things and I have a
wire crossed in my brain. I have to write the rule like :
pass out quick on em0 proto tcp from 10.201.1.0/24 to any flags S keep
state
instead of:
pass out quick on em0 proto tcp from my.external.ip/32 to any flags S
keep state
in order for anything (www, IMAP etc) to work.
Why would I write the rule with my NAT'ed range and not my external IP?
Beacuse filtering takes place before NAT. The IPFilter FAQ is quite
clear on this:
--------------------------------< quote >-------------------------------
When does NAT happen in relation to filtering?
Incoming packets enter the interface, get NAT'd, get filtered, then (if
they get through the filter) get passed onto the kernel for processing.
Additionally outgoing packets get filtered then NAT'd:
interface --> NAT --> filter --> OS --> filter --> NAT --> interface
--------------------------------< quote >-------------------------------
See that end of chain? filter --> NAT --> interface
In order to confuse yourself less, you could replace your rule with:
pass in quick on <internal-if> proto tcp from 10.201.1.0/24 to any \
flags S keep state
If you are keeping state, you don't need a rule on external interface at
all for traffic originating from your internal network. The state table
takes care of that.
---
... I know enough to know that I don't know enough.
