Re: Rule confusion.

Tue, 30 Aug 2005 07:16:31 -0700 

Thanks Toomas,
   It is a matter of my perspective. I was seeing th first:
interface --> NAT --> filter --> OS
and thinking that the NAT had already happened. But because I do not have an explicit rule on "pass in" (as you have suggested) the packet was advancing unchallenged to the second side of that equation and the NAT was happening after the filter. 

Thank you for helping me to see this!
Peter Clark

Toomas Aas wrote:

Peter Clark wrote:


  I have looked through various info including when NAT happens in the 
rules processing and I am still confused. I though that I could write 
a pass out rule on my external interface that would cover all packets 
from  my internal range but I end up writing a rule that passes out on 
my external interface with a source address of the internal range on 
my firewall. Maybe this is the correct way of doing things and I have 
a wire crossed in my brain. I have to write the rule like :



 pass out quick on em0 proto tcp from 10.201.1.0/24 to any flags S 
keep state


instead of:
 pass out quick on em0 proto tcp from my.external.ip/32 to any flags S
keep state


in order for anything (www, IMAP etc) to work. Why would I write the 
rule with my NAT'ed range and not my external IP? 




Beacuse filtering takes place before NAT. The IPFilter FAQ is quite 
clear on this:


--------------------------------< quote >-------------------------------
When does NAT happen in relation to filtering?


Incoming packets enter the interface, get NAT'd, get filtered, then (if 
they get through the filter) get passed onto the kernel for processing. 
Additionally outgoing packets get filtered then NAT'd:


interface --> NAT --> filter --> OS --> filter --> NAT --> interface
--------------------------------< quote >-------------------------------

See that end of chain? filter --> NAT --> interface

In order to confuse yourself less, you could replace your rule with:

pass in quick on <internal-if> proto tcp from 10.201.1.0/24 to any \
 flags S keep state


If you are keeping state, you don't need a rule on external interface at 
all for traffic originating from your internal network. The state table 
takes care of that.

---
... I know enough to know that I don't know enough.
























					Reply via email to