On Sonntag 11 November 2007 06:41:41 Urban Hillebrand <[EMAIL PROTECTED]>
wrote:
> Hi everyone,
>
> I have a problem with pf redirection. I used this simple setup to reproduce
> this issue:
>
> An external host ("HostA") connects to port 55111 on my external interface
> ($IF_EXT) on my openbsd box. This connection is forwarded to the ssh-port
> of an internal Server ("ServerA") using my internal interface ($IF_INT).
>
> To allow this connection through my packet filter, it was my understanding
> that I4d have at least 3 options (I am aware that redirection occurs before
> filtering):
>
> (1) allow the incoming connection on IF_EXT + allow outgoing connection on
> IF_INT:
> This is of course working without problems.
>
> (2) using "rdr pass" instead of "rdr":
> This works for allowing the incoming connection on $IF_EXT, but I still
> seem to need an outgoing rule on $IF_INT.
>
> (3) using "quick" with my rule for $IF_EXT:
> Same thing happens as with (2).
[...]
An off-list reply cleared things up for me. It simply seems that forwarded
packets have to pass the ruleset twice (once for every interface) -
embarrassingly the very first sentence of the "packet filtering" section in
the pf FAQ seems to suggest exactly this behaviour:
"Packet filtering is the selective passing or blocking of data packets as they
pass through a network interface."
It says "through a network interface" here, not "through the network stack"
or "through your packet filter".
I always thought the packet first is rewritten by rdr, and is then evaluated
once against my ruleset. As I never really liked shortcuts in my ruleset
like "quick" or "rdr pass" and always explicitly specified rules for my
connections on all relevant interfaces, this misunderstanding never posed a
problem.
Sorry if this was an obvious question.
