[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pf, nat, and routing

To: Ben Goren <ben@trumpetpower.com>
Subject: Re: pf, nat, and routing
From: Daniel Hartmeier <daniel@benzedrine.cx>
Date: Sat, 16 Feb 2002 00:29:15 +0100
Cc: misc@openbsd.org
Content-Disposition: inline
References: <20020215130818.Z16473@trumpetpower.com> <20020215211830.G23501@bsw005.bsws.de> <20020215152030.A15946@trumpetpower.com>
User-Agent: Mutt/1.2.5.1i

On Fri, Feb 15, 2002 at 03:20:30PM -0700, Ben Goren wrote:

> Is my solution (two  rules, one in on xl1 and one  out on xl0) the
> right one? Is there a better way? (And what about my idea of a new
> keyword expansion?)

Yes, if you want to filter on the original source addresses, the obvious
solution is to do that on the internal interface, when NAT hasn't
changed them yet.

Regarding the automatic expansion: your example didn't include the
different handling of the two local networks. The whole point is that
you want to treat them differently, hence the rules for the internal
interface are different than the ones on the external interface. I don't
see a generic pattern of how to generate one block of rules from the
others, since the whole point of filtering on both interfaces is to have
different rules for them. Different people will use other differences
(most probably, you will want to modify the differences, too), so I'm
not sure we can automate this in a way that is generally useful.

I don't like mixing nat rules into pf.conf, I prefer keeping them
strictly separated. That's how I interpreted your syntax example, not
sure if I got what you meant there.

If you dislike replicating the parts of the rules that both interfaces
share (that's what I would find ugly), you can use macros to get rid of
the redundancy (macros can not only hold a single {} list, but larger
parts of a rule as well).

You might also want to consider adding another internal interface to the
firewall, so you have one for each local network. That's a broader
decision, though. If the firewall is the only connection between the two
local networks, you have more options controlling what can pass between
them.

Another idea would be to use an rdr rule that changes destination
addresses/ports on the internal interface for connections that are not
allowed to pass out, and then block those (already on the internal
interface, since rdr has already taken place), effectively
'null-routing' them.

Or you can make the nat rule on the external interface more restrictive:
only nat the packets with the net block that is allowed to pass out,
leaving the other sources untranslated (then block anything going out of
the external interface with an untranslated address). You can specify
source and destination addresses and _ports_ in nat rules. You don't
have to use a single rule that applies to all packets from 10.x.x.x.

There's many possiblities, and I suggest trying some of them to find out
which one you like best. Which one do you find easiest to explain to a
co-worker, or document, or remember when you need to change something in
two months? That's what I would use :)

Daniel

References:
- pf, nat, and routing
  - From: Ben Goren <ben@trumpetpower.com>
- Re: pf, nat, and routing
  - From: Henning Brauer <lists-openbsd@bsws.de>
- Re: pf, nat, and routing
  - From: Ben Goren <ben@trumpetpower.com>

Prev by Date: Re: network administration question
Next by Date: Re: Boot floppy - not boot sector
Prev by thread: Re: pf, nat, and routing
Next by thread: Re: pf, nat, and routing
Index(es):
- Date
- Thread