Re: rdr vs pass

[Jason Crawford <jasonrcrawford@gmail.com>]

I'm not sure I quite understand your question, but rdr is part of
network address translation, which is completely different than
block/pass, which is part of packet filtering. Some people don't use
NAT at all, like bridging, or just filtering from one subnet to
another. Others use NAT, where you have non-routable subnets behind a
firewall, and want them all to access the internet even though you
lack external IP's. Once a packet passes through the NAT table (if you
use it) it then passes through the filter table, and you must filter
based on the newly translated ports/addresses. Seems pretty straight
forward.

Jason


On Tue, 1 Mar 2005 14:38:57 -0600 (CST), jabbott@abbotts.org
<jabbott@abbotts.org> wrote:
> Could someone please settle a debate I am having at work?  I admit to being old school, having started on IPF with obsd 2.6, now I am running PF on 3.5.  My co-worker has been learning pf over the past year.  I guess the debate is, he thinks pass/block filter rules are redundant and want to only use redirects, such as:rdr from $oneIP to $anotherInternalIP port whatever.
> I tend to think that:
> pass in on fxp0 from $oneIP to $anotherIP port whatever; and
> block in on fxp0 from any to $anotherInteralIP port whatever
> seems like if everything could be done with redirects, why did the gods of openbsd create rules?  The only real argument I have is rules buy us logging....ah, assuming somebody is looking at the logs of course.
> 
> What is the opinion of the list?
> 
> --ja
> 
> --