On Mon, Sep 21, 2020 at 1:39 PM Peter N. M. Hansteen <pe...@bsdly.net> wrote:
> On Mon, Sep 21, 2020 at 12:46:15PM +0200, open...@kene.nu wrote: > > > I am seeing what could be expected behaviour but the small shreds of > info I > > can find online seems to suggest otherwise. > > It would be interesting to hear which shreds of information you found. > > Mainly this which I see now contradicts itself. https://forums.freebsd.org/threads/nat-filtering-in-pf-what-happens-if.22783/ > > > I have a box that acts as a router and firewall. It forwards packets from > > the internal lan (call it vlan100) and sends it natted out on the > external > > lan (call it vlan200). > > > > The problem I am seeing is that I am unable to filter on vlan200 as the > > match nat rule (match out on vlan200 nat-to vlan200) seems to rewrite the > > source address before any filtering is taken into account. > > > > Is this intended? I was under the assumption that filtering is done twice > > in my box, as it forwards, once on ingress (where I have a pass quick > > everything rule) and one on egress (where the nat is and where I want the > > filtering done) in a basic Routing->Access->NAT scheme? As it stands now > I > > have to filter on ingress. > > > > My basic ruleset snippet: > > pass quick on vlan100 from any to any > > match out on vlan200 nat-to vlan200 > > pass out on vlan200 > > block out quick on vlan200 from <no-internet-for-you> > > If this is your actual ruleset, you are observing the intended behavior. > match rule actions are applied directly, so the pass rule would see the > already > NATed packets as you have specified. > I noticed the same from some last minute efforts, the ordering of the match rule matters. > In a simple case like this you could optionally move the nat-to action to > the pass rule and remove the match rule if that fits your needs better. > Unfortunately I have many more pass rules that would need NAT applied to it on a case-by-case basis which is not maintainable so I guess I have to abort the mission and keep what I have, which is filtering on ingress. > All the best, > > -- > Peter N. M. Hansteen, member of the first RFC 1149 implementation team > http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ > "Remember to set the evil bit on all malicious network traffic" > delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds. > > Thanks for the quick and on-point answer. Probably saved a few hours for me.