On Fri, Dec 04, 2009 at 10:41:20AM -0600, Greg Barniskis wrote:
Using 7.2-RELEASE-p4 i386 with GENERIC kernel, I've found (the hard way)
that if I have a pf.conf rule like
nat on $ext_if proto { tcp udp icmp } from $my_subnet \
to any - some.public.ip.num
then pfctl will perform the expected expansion of the listed protocols
into three separate NAT rules.
However, if I have a rule like
binat on $ext_if proto { tcp udp icmp } from $server_dmz_ip \
to any - $server_public_ip
then I will /only/ get one NAT rule, for TCP.
Then things like NTP, DNS and ping will fail, but the filtering rules
that permit such traffic will increment their byte, packet and state
counters like PF is working just fine (and I suppose in some sense that
the filtering part is). But only if I explicitly declare in pf.conf a
separate binat rule for each desired protocol, instead of listing them,
will things work as needed.
Feature or bug? If the former, it is not well documented that I could
see. I expected that a list of protocols for a binat rule would just
work, and pfctl certainly didn't mark it as bad syntax. If a bug, is
this a FreeBSD bug or OpenBSD?
The BNF grammar in pfconf(5) suggests that binat rules don't take a
list. Summarised:
nat-rule = ... proto ( proto-name | proto-number | { proto-list } )
binat-rule = ... proto ( proto-name | proto-number )
--
George
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org