Re: NAT........

[Rémi Guyomarch <rguyom@pobox.com>]

On Mon, Mar 18, 2002 at 06:53:48AM -0600, Milhomem, Marcus wrote:
> Please , This weekend I spent a lot of my time trieing to put up a openbsd
> 3.0 firewall/NAT, but as I was reading the firewall how-to from the openbsd
> faq I had some issues that I would like to ask you:
> 
> 1 - What is the diference between the rule NAT and the rule RDL on the
> nat.conf file?

NAT operates on *outgoing* connections.
RDR operates on "incoming* connections.
^^^ not "rdl"

> 2 - In what cases I should use rdl and in what cases I should use nat?

You use RDR when you want to rewrite the destination address of
incoming packets.
You use NAT when you want to rewrite the source address of outgoing
packets.
You use BINAT when you want to do both.

> 3 - In the nat rules I can use variables as in the pf rules? because I tried
> to use but I was getting some errors?

Not in 3.0

> 4- What file is read first at boot nat or pf? because I have a firewall with
> 4 nics and only one valid IP so I have to make a lot of pf rules and nat
> rules.

Both files are used.
When you write filter rules, keep in mind that NAT/RDR/BINAT always
happens before filtering rules. This means you should write :

nat.conf:
nat on <your_if> from <internal_ip> to any -> <external_ip>
rdr on <your_if> from any to <external_ip> port ... -> <internal_ip>

pf.conf:
pass in on <your_if> from any to <internal_ip> ...
pass out on <your_if> from <external_ip> to any ...

where <internal_ip> and <external_ip> logically points to the same box.
It's not obvious and it's quite different than what's going on in
IPFilter, but well ...

-- 
Rémi