On Apr 8, 2005 6:32 AM, Siju George <[EMAIL PROTECTED]> wrote: > On Apr 6, 2005 10:22 PM, Kimi Ostro <[EMAIL PROTECTED]> wrote:
Hi again, well, actually my NAT rule is correct, as I am only translating packets coming _from_ my internal network from ports higher then 1023 (un-privilaged ports) not to. Although I think I know where I have gone wrong, assumed wrongly that packets were filtered first then translated -- is there a way to change this behaviour? probably not. So going by this, my pass rule should read: pass out on $ext_if from $ext_if to any port 80 keep state flags S/SA that works, but seems wrong? especially if I go by Jacek Artymiak's "Building Firewalls with OpenBSD and pf" book, looking at the rules template on pages 282-283 (NAT + Screened Host/LAN) and then the ruleset on pages 292-293. anyway.. would this seem right: # connection coming from a client to a webserver + NAT on external interface packet enters internal interface, with a source ip of 10.10.10.10 port 40960 with a destination ip of 129.128.5.191 port 80, pf NAT rule changes the packets source IP with 30.30.30.30. pf filters packet according to the rules, finds a matching pass rule then the Kernel will route the packet. The packet arrives on the external interface from Kernel, pf will filter again finding a matching rule then the packet is sent to the destination. Thanks again! -- spamassassinexception
