Re: pf, nat, and routing

[Ben Goren <ben@trumpetpower.com>]

On Fri, Feb 15, 2002 at 09:18:30PM +0100, Henning Brauer wrote:
> On Fri, Feb 15, 2002 at 01:08:18PM -0700, Ben Goren wrote:
> > When the pf.conf file instead reads
> >
> >     pass in quick on xl1 proto tcp from any to any \
> > 	port 80 flags S/SA keep state
> >     block             out           all
> >     block             in            all
> >     block return-rst  out proto tcp all
> >     block return-rst  in  proto tcp all
> >     block return-icmp out proto udp all
> >     block return-icmp in  proto udp all
> >
> > then  `lynx http://192.0.2.7/`  (a known-working  http server)
> > will  time   out. Attempts  to  connect  on   any  other  port
> > immediately fail with the connection refused.
>
> That's because the packets are  blocked on xl0. A state entry is
> always bound to an interface  with pf, and you even specifically
> bound the whole  rule to xl1, while not binding  the block rules
> to any interface.

Yes; that's  a clear  and concise  way to  describe what  had been
confusing me.

But! What then is the proper way to permit connections arriving on
one interface to leave on another, and to forbid everything else?

I need  to match  the packet  on xl1 (refer  to previous  note, id
20020215130818.Z16473@trumpetpower.com)  because I  need to  match
against the  right IP address--on  xl0, it's already  been changed
via NAT  to the IP address  of xl0. Also, matching on  xl1 ensures
that the packets have to come  from the internal network and makes
spoofs that much harder.

Is my solution (two  rules, one in on xl1 and one  out on xl0) the
right one? Is there a better way? (And what about my idea of a new
keyword expansion?)

Thanks,

b&

--
Ben Goren
 mailto:ben@trumpetpower.com
 http://www.trumpetpower.com/
 icbm:33o25'37"N_111o57'32"W

[demime 0.98d removed an attachment of type application/pgp-signature]