On ott 20 9:03, Greg Troxel wrote: > I am not an pf expert, but...
Don't worry, me neither :). > > As it is written here, and exactly as Martin said in a previous > > thread, `pass stateful out all' ``allows the packet to go out, and > > also creates a NAT state entry so any answers are allowed back in''. > > This creates a state entry. That is a record that packets with some > protocol, srcaddr/port, dstaddr/port when out, and this creates implicit > rules that will allow the reverse packets back in. It does not > configure NAT. You got the point. Yes, and I can confirm this. ``Also creates a NAT'' confused me. Maybe Martin was only meaning that the connection is tracked, but not that an actual NAT is created. NAT can only be created through `map'. I put `map $ext_if dynamic $localnet -> $ext_if' in npf.conf. Then, I considered the `SSH_CLIENT' env variable for two ssh connections from different hosts in a LAN connected to the gateway, to a host which is outside $ext_if. In both cases, the env variable showed the IP address of the gateway. This did not happen without the `map' line: in that case, `SSH_CLIENT' had the LAN IP of the host where I started the ssh connection (so, they were different in the two connections). > Yes. That does, and it probably doesn't create a state entry - just > maps the outgoing packet. Or if it does create state, that state > probably won't allow an incoming packet (when there is a block all in > rule). I am not able to say which of the two options is the right one, but (using the same ssh example as above), the host outside $ext_if, without a `pass stateful out all' is not reachable. ssh: connect to host <host_IP> port 22: Network is unreachable > > Given the `map' line which creates a NAT, is `pass stateful out all' > > (which allows any packet creating a NAT) really necessary? A NAT has > > already been created with `map'. > > I believe it is. Yes, I can confirm this. > Absolutely. A firewall that does not do NAT is a very sensible > concept. You are only configuring NAT becuase you don't have real > addresses on your LAN (you and ~everybody else at home). Exactly. Thank you! Rocky
