On Mon, Sep 21, 2020 at 12:46:15PM +0200, open...@kene.nu wrote: > I am seeing what could be expected behaviour but the small shreds of info I > can find online seems to suggest otherwise.
It would be interesting to hear which shreds of information you found. > > I have a box that acts as a router and firewall. It forwards packets from > the internal lan (call it vlan100) and sends it natted out on the external > lan (call it vlan200). > > The problem I am seeing is that I am unable to filter on vlan200 as the > match nat rule (match out on vlan200 nat-to vlan200) seems to rewrite the > source address before any filtering is taken into account. > > Is this intended? I was under the assumption that filtering is done twice > in my box, as it forwards, once on ingress (where I have a pass quick > everything rule) and one on egress (where the nat is and where I want the > filtering done) in a basic Routing->Access->NAT scheme? As it stands now I > have to filter on ingress. > > My basic ruleset snippet: > pass quick on vlan100 from any to any > match out on vlan200 nat-to vlan200 > pass out on vlan200 > block out quick on vlan200 from <no-internet-for-you> If this is your actual ruleset, you are observing the intended behavior. match rule actions are applied directly, so the pass rule would see the already NATed packets as you have specified. In a simple case like this you could optionally move the nat-to action to the pass rule and remove the match rule if that fits your needs better. All the best, -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
