Re: bi-nat biavior and anchor limitation
On 2012-09-13, Michel Blais mic...@targointernet.com wrote:
Hi,
I just encounter a stange biavior with the bi-nat rules. Since we optimize
our firewall script via multiple anchor for our thousand of bi-nat rule, we
don't use the bi-nat rule but instead use the 2 rules in different anchor.
Exemple:
anchor out on $ext_if from 192.168.0.0/16 {
anchor out on $ext_if from 192.168.0.0/24 {
match out on $ext_if inet from 192.168.0.1 to any nat-to
X.Y.Z.1 static-port
match out on $ext_if inet from 192.168.0.2 to any nat-to
X.Y.Z.2 static-port
}
}
anchor in on $ext_if to X.Y.Z.0/20 {
anchor in on $ext_if to X.Y.Z.0/24 {
match in on $ext_if inet from any to X.Y.Z.1 rdr-to 192.168.0.1
match in on $ext_if inet from any to X.Y.Z.2 rdr-to 192.168.0.2
}
Can't help with the anchor thing (I don't see how they would simplify my
rulesets so I only use them as places for other programs to hook into the
ruleset e.g. ftp-proxy etc). But if the rules are exactly how you show,
with 192.168.0.nn and X.Y.Z.nn (same nn for original and translated
addresses), are you aware of this in pf.conf(5) which seems tailor-made
for this type of configuration?
[...]
For af-to, nat-to and rdr-to options for which there is a single
redirection address which has a subnet mask smaller than 32 for IPv4 or
128 for IPv6 (more than one IP address), a variety of different methods
for assigning this address can be used:
bitmask
The bitmask option applies the network portion of the redirection
address to the address to be modified (source with nat-to,
destination with rdr-to).
[...]
bi-nat biavior and anchor limitation
Hi,
I just encounter a stange biavior with the bi-nat rules. Since we optimize
our firewall script via multiple anchor for our thousand of bi-nat rule, we
don't use the bi-nat rule but instead use the 2 rules in different anchor.
Exemple:
anchor out on $ext_if from 192.168.0.0/16 {
anchor out on $ext_if from 192.168.0.0/24 {
match out on $ext_if inet from 192.168.0.1 to any nat-to
X.Y.Z.1 static-port
match out on $ext_if inet from 192.168.0.2 to any nat-to
X.Y.Z.2 static-port
}
}
anchor in on $ext_if to X.Y.Z.0/20 {
anchor in on $ext_if to X.Y.Z.0/24 {
match in on $ext_if inet from any to X.Y.Z.1 rdr-to 192.168.0.1
match in on $ext_if inet from any to X.Y.Z.2 rdr-to 192.168.0.2
}
We just found that by adding the in rules before the out rules in the pf
script, only the incoming rules will be apply and ougoing paquet will
match default nat instead.
Any reason that I can understand to this behavior ? Anyway, I also
wanted to let a note on misc info archive about this since I didn't find
anything will searching on marc.info and search it for days.
Also, is it a pfctl limitation to not be able to use it on anchor inside
a other anchor or I'm missing something ? Exemple, I load a anchor in
main ruleset named A and in A, I load a other anchor named B. Is there
any way to use pfctl on B anchor ?
# pfctl -sA
A
# pfctl -a A -sA
B
#
Thanks
Michel
Re: bi-nat biavior and anchor limitation
Le 2012-09-13 11:34, Michel Blais a écrit : Also, is it a pfctl limitation to not be able to use it on anchor inside a other anchor or I'm missing something ? Exemple, I load a anchor in main ruleset named A and in A, I load a other anchor named B. Is there any way to use pfctl on B anchor ? # pfctl -sA A # pfctl -a A -sA B # Thanks to Martin Pelikan that answered me outside of the mailing list, syntax is : # pfctl -a A/B -sA Before he writeded me, I didn't notice that while using # pfctl -a A -sA it was display like A/B A/C A/D -- Michel Blais Administrateur réseau / Network administrator Targo Communications www.targo.ca 514-448-0773
