Re: rdr vs pass

[<jabbott@abbotts.org>]

Right, we are using nat to redirect the packets to our private network.  The question is, I could have a "pass in all" and then use rdr to only limit the ports that will redirect back to the internal network.  With redirect you can also use an IP number on the front side so it can work like: rdr from an external IP number to an IP number inside.

--ja

On Tue, 1 Mar 2005, Jason Crawford wrote:

> I'm not sure I quite understand your question, but rdr is part of
> network address translation, which is completely different than
> block/pass, which is part of packet filtering. Some people don't use
> NAT at all, like bridging, or just filtering from one subnet to
> another. Others use NAT, where you have non-routable subnets behind a
> firewall, and want them all to access the internet even though you
> lack external IP's. Once a packet passes through the NAT table (if you
> use it) it then passes through the filter table, and you must filter
> based on the newly translated ports/addresses. Seems pretty straight
> forward.
> 
> Jason
> 
> 
> On Tue, 1 Mar 2005 14:38:57 -0600 (CST), jabbott@abbotts.org
> <jabbott@abbotts.org> wrote:
> > Could someone please settle a debate I am having at work?  I admit to being old school, having started on IPF with obsd 2.6, now I am running PF on 3.5.  My co-worker has been learning pf over the past year.  I guess the debate is, he thinks pass/block filter rules are redundant and want to only use redirects, such as:rdr from $oneIP to $anotherInternalIP port whatever.
> > I tend to think that:
> > pass in on fxp0 from $oneIP to $anotherIP port whatever; and
> > block in on fxp0 from any to $anotherInteralIP port whatever
> > seems like if everything could be done with redirects, why did the gods of openbsd create rules?  The only real argument I have is rules buy us logging....ah, assuming somebody is looking at the logs of course.
> > 
> > What is the opinion of the list?
> > 
> > --ja
> > 
> > --
> > 
> >
> 

--