Re: PF Natting before filtering
On 2020-09-21, open...@kene.nu wrote: >> > My basic ruleset snippet: >> > pass quick on vlan100 from any to any >> > match out on vlan200 nat-to vlan200 >> > pass out on vlan200 >> > block out quick on vlan200 from >> >> If this is your actual ruleset, you are observing the intended behavior. >> match rule actions are applied directly, so the pass rule would see the >> already >> NATed packets as you have specified. >> > > I noticed the same from some last minute efforts, the ordering of the match > rule matters. > > >> In a simple case like this you could optionally move the nat-to action to >> the pass rule and remove the match rule if that fits your needs better. >> > > Unfortunately I have many more pass rules that would need NAT applied to it > on a case-by-case basis which is not maintainable so I guess I have to > abort the mission and keep what I have, which is filtering on ingress. > me. Try tagging the relevant addresses (match from tag whatever) before the nat rule, then "block out quick on vlan200 tagged whatever". Or tag the packets you _do_ want to allow and "pass out tagged permitted".
Re: PF Natting before filtering
On Mon, Sep 21, 2020 at 02:14:25PM +0200, open...@kene.nu wrote: > > > can find online seems to suggest otherwise. > > > > It would be interesting to hear which shreds of information you found. > > > Mainly this which I see now contradicts itself. > https://forums.freebsd.org/threads/nat-filtering-in-pf-what-happens-if.22783/ It's important to be aware that FreeBSD's PF is ancient, on par with roughly what was in OpenBSD 4.5. The NAT code on the OpenBSD side of the fence was totally rewritten for 4.7 which is also IIRC when match was introduced. You may have noticed that FreeBSD's PF does not have match rules. I hope you find a workable solution for what you need to do. All the best, -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: PF Natting before filtering
On Mon, Sep 21, 2020 at 1:39 PM Peter N. M. Hansteen wrote: > On Mon, Sep 21, 2020 at 12:46:15PM +0200, open...@kene.nu wrote: > > > I am seeing what could be expected behaviour but the small shreds of > info I > > can find online seems to suggest otherwise. > > It would be interesting to hear which shreds of information you found. > > Mainly this which I see now contradicts itself. https://forums.freebsd.org/threads/nat-filtering-in-pf-what-happens-if.22783/ > > > I have a box that acts as a router and firewall. It forwards packets from > > the internal lan (call it vlan100) and sends it natted out on the > external > > lan (call it vlan200). > > > > The problem I am seeing is that I am unable to filter on vlan200 as the > > match nat rule (match out on vlan200 nat-to vlan200) seems to rewrite the > > source address before any filtering is taken into account. > > > > Is this intended? I was under the assumption that filtering is done twice > > in my box, as it forwards, once on ingress (where I have a pass quick > > everything rule) and one on egress (where the nat is and where I want the > > filtering done) in a basic Routing->Access->NAT scheme? As it stands now > I > > have to filter on ingress. > > > > My basic ruleset snippet: > > pass quick on vlan100 from any to any > > match out on vlan200 nat-to vlan200 > > pass out on vlan200 > > block out quick on vlan200 from > > If this is your actual ruleset, you are observing the intended behavior. > match rule actions are applied directly, so the pass rule would see the > already > NATed packets as you have specified. > I noticed the same from some last minute efforts, the ordering of the match rule matters. > In a simple case like this you could optionally move the nat-to action to > the pass rule and remove the match rule if that fits your needs better. > Unfortunately I have many more pass rules that would need NAT applied to it on a case-by-case basis which is not maintainable so I guess I have to abort the mission and keep what I have, which is filtering on ingress. > All the best, > > -- > Peter N. M. Hansteen, member of the first RFC 1149 implementation team > http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ > "Remember to set the evil bit on all malicious network traffic" > delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds. > > Thanks for the quick and on-point answer. Probably saved a few hours for me.
Re: PF Natting before filtering
On Mon, Sep 21, 2020 at 12:46:15PM +0200, open...@kene.nu wrote: > I am seeing what could be expected behaviour but the small shreds of info I > can find online seems to suggest otherwise. It would be interesting to hear which shreds of information you found. > > I have a box that acts as a router and firewall. It forwards packets from > the internal lan (call it vlan100) and sends it natted out on the external > lan (call it vlan200). > > The problem I am seeing is that I am unable to filter on vlan200 as the > match nat rule (match out on vlan200 nat-to vlan200) seems to rewrite the > source address before any filtering is taken into account. > > Is this intended? I was under the assumption that filtering is done twice > in my box, as it forwards, once on ingress (where I have a pass quick > everything rule) and one on egress (where the nat is and where I want the > filtering done) in a basic Routing->Access->NAT scheme? As it stands now I > have to filter on ingress. > > My basic ruleset snippet: > pass quick on vlan100 from any to any > match out on vlan200 nat-to vlan200 > pass out on vlan200 > block out quick on vlan200 from If this is your actual ruleset, you are observing the intended behavior. match rule actions are applied directly, so the pass rule would see the already NATed packets as you have specified. In a simple case like this you could optionally move the nat-to action to the pass rule and remove the match rule if that fits your needs better. All the best, -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
PF Natting before filtering
Hello, I am seeing what could be expected behaviour but the small shreds of info I can find online seems to suggest otherwise. I have a box that acts as a router and firewall. It forwards packets from the internal lan (call it vlan100) and sends it natted out on the external lan (call it vlan200). The problem I am seeing is that I am unable to filter on vlan200 as the match nat rule (match out on vlan200 nat-to vlan200) seems to rewrite the source address before any filtering is taken into account. Is this intended? I was under the assumption that filtering is done twice in my box, as it forwards, once on ingress (where I have a pass quick everything rule) and one on egress (where the nat is and where I want the filtering done) in a basic Routing->Access->NAT scheme? As it stands now I have to filter on ingress. My basic ruleset snippet: pass quick on vlan100 from any to any match out on vlan200 nat-to vlan200 pass out on vlan200 block out quick on vlan200 from
