On Fri, Apr 07, 2006 at 12:04:23PM -0400, Gabriel Wachman wrote: > >>>If NAT translation happens BEFORE any filter rules are evaluated > >>>(see http://www.openbsd.org/faq/pf/nat.html), then wouldn't it be > >>>true that an outbound packet from the internal network will be > >>>seen by the filtering engine as a packet with source IP of the > >>>firewall?
Yes, a packet from the internal host going out on pf's external interface will have its source address translated already when it is filtered. For incoming packets of the same connection, the point is moot. Since there always is a state entry for translated connections, the incoming replies will match that state entry and pass without any ruleset evaluation. Hence, it's irrelevant whether the ruleset would be evaluated before or after the reply's destination address is translated back, because it isn't evaluated for such packets. > >To me, that clearly indicates that the filtering engine sees only the > >post-translated packets, with no idea of the contents of the > >pre-translated packets. Therefore the filtering engine should only > >see the translated source IP and destination IP of outbound and > >inbound packets, respectively, from the NAT'ed internal network. On the external interface, that is true. Each packet is filtered on both interfaces, the internal one and the external one. On the external one you'll be seeing already translated packets, on the internal one not-yet (or back-)translated packets. So, if you want pf to make decisions based on the untranslated source address, you can do so on the internal interface. You can either block based on address there, or add a tag to the packet, which will be recognized by rules on the external interace. The only question from you I seem to be able to identify is "is the FAQ correct", and the answer is "yes". If I missed the real question, or you just didn't ask it, explain :) Daniel
