On Sunday, Apr 2, 2006, at 00:26 US/Pacific, [EMAIL PROTECTED] wrote:
Is there a document that describes how to translate common IPFilter
constructs to pf? This would be helpful for people migrating (like
me). Specifically, I'm looking for the pf equivalent of IPFilter's
map $ext_if 192.168.10.0/24 -> 1.2.3.4/32 proxy port 500 ipsec/udp
map $ext_if 192.168.10.0/24 -> 1.2.3.4/32 proxy port 10000 ipsec/tcp
map $ext_if 192.168.10.0/24 -> 1.2.3.4/32 portmap tcp/udp 1025:65000
map $ext_if 192.168.10.0/24 -> 1.2.3.4/32
The last two rules translate to:
nat on $ext_if from 192.168.10.0/24 to any -> 1.2.3.4
pf performs the equivalent of ipf's "portmap" for tcp and udp by
default.
You probably also want something like this in the filter rules:
pass out on $ext_if from 1.2.3.4 to any keep state
I'm not that familiar with ipsec, so someone else will have to respond
to the first two rules. To help them: ipf contains things like
ftp-proxy in kernel, and uses the "proxy" keyword in map rules to
activate them. The goal is allowing multiple client machines to work
with remote ipsec endpoints through outbound NAT. Jos, if you can
explain the high level requirements here (do the client machines all
need to talk to the _same_ remote endpoint?), it would help others
answer.
