On Mon, 12 Apr 2010 08:56:46 +0059, Jason McIntyre wrote: >On Mon, Apr 12, 2010 at 05:36:35PM +1000, Rod Whitworth wrote: >> there is no mention of the "pass out on $ext_if nat-to 1.2.3.4" way of >> doing NAT in the pf.conf manpage for a "vanilla" firewall. There is one >> use of the construct but it refers to an unlikely scenario of NATting >> to a "fake internal" network. That wouldn't jump out of the page to a >> beginner wanting a simple RFC1928 LAN. >> > >the EXAMPLES section of pf.conf(5) has a lot of nat stuff in it (we >formerly had separate example sections for stuff like nat, but we merged >them all). > >the binat-to example in particular should be enough to show a very >simple example. I can't agree with that. Quite often we have people wanting (probably the commonest) a home firewall and these folk are the ones who will rarely do binat. Besides that all the examples of NAT in the pf.conf manpage and the upcoming pf FAQ use the match action without ever explaining why. (I'll get onto Nick in another mail).
> >> >> Further the (only) sample pf.conf, the one in /etc, doesn't really >> represent a useful ruleset. I want to pursue that a bit further. Here is the 4.7 pf.conf: === # $OpenBSD: pf.conf,v 1.49 2009/09/17 06:39:03 jmc Exp $ # # See pf.conf(5) for syntax and examples. # Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1 # in /etc/sysctl.conf if packets are to be forwarded between interfaces. set skip on lo # filter rules and anchor for ftp-proxy(8) #anchor "ftp-proxy/*" #pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021 # anchor for relayd(8) #anchor "relayd/*" pass # to establish keep-state # rules for spamd(8) #table <spamd-white> persist #table <nospamd> persist file "/etc/mail/nospamd" #pass in on egress proto tcp from any to any port smtp \ # rdr-to 127.0.0.1 port spamd #pass in on egress proto tcp from <nospamd> to any port smtp #pass in log on egress proto tcp from <spamd-white> to any port smtp #pass out log on egress proto tcp to any port smtp #block in quick from urpf-failed to any # use with care # By default, do not permit remote connections to X11 block in on ! lo0 proto tcp to port 6000:6010 ==== Comments: There isn't much active in there and that's fine but the commented out lines should be doing something useful when uncommented. So let's look at a few. I can't object to the spamd lines. They are a complete complement for a smtpd on either the firewall or downstream with spamd on the gateway. Now, there are some lines to support ftp proxying. Fine - we may need that in a NAT situation but there is no NAT rule to give a clue about NAT and where the rule would sit in the file. So a naive user R'ing The Fine Manpage would get a "match out /match in" rule pair that deals with a pool of public addresses. No NAT at its simplest and no explanation of why match is used. I found out early in testing a simple ruleset that I couldn't do simple NAT without using a "pass out" construct so that state was maintained. OK, assuming we have worked out how to put in a simple NAT what happens to the remaining rules that may be needed and we'd just have to uncomment them, right? Well what happens to that line that says "#pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021" ? It's right up the top and it does a pass in quick for anybody outside sending packets to port 21. The manpage warns us about that and the rule used in the past said "rdr pass on ! egress proto tcp to port ftp -> 127.0.0.1 port 8021" because we only want it to happen for ftp connections TO the outside world. Assuming that we got rid of the default "pass" with your choice of block, that rule should probably be nearer the head. >> >> I've got everything <I> need working but am concerned about the unusual >> lack of clarity for somebody who has not been using pf for years. At >> one stage we had a bunch of samples in a /usr/somepath directory and a >> typical beginners firewall template with commented out spamd stuff in >> /etc >> > >i can't claim that no one read those examples, but they were largely >ignored and forgotten about. the commit message removing them probably >says as much. > >also, with something as complex as pf, it's really nice to have the pf >faq. if something is not neccessarily for the man page, the faq might be >a good place. you could look there at making some improvements if you >think there's some basic, helpful, stuff missing. I think I'll do a really basic home gateway NAT, leaving in the commented out ftp and spamd stuff. I'll test in the lab for certainty and pass it on to Nick because it really is a bit late for 4.7 and if anybody is stumped by the default rules and pf.conf manpage we could then point them to the FAQ. > Can somebody show me a useful ruleset using match to do an elementary NAT to illustrate why it would be useful as opposed to a pass out rule? R/ *** NOTE *** Please DO NOT CC me. I <am> subscribed to the list. Mail to the sender address that does not originate at the list server is tarpitted. The reply-to: address is provided for those who feel compelled to reply off list. Thankyou. Rod/ --- This life is not the real thing. It is not even in Beta. If it was, then OpenBSD would already have a man page for it.
