match in nat-to rule

2014-05-19 Thread Alexey Kurinnij 
nat-to rule not work if match and work when pass:
match out quick on egress inet from !(egress:network) to any nat-to
(egress:0) - not work
pass out quick on egress inet from !(egress:network) to any nat-to
(egress:0) - work
Today I install 5.5 and copy old pf.conf to new system, and remove queuing
rules, but NAT not work with this config.
I remove all restriction rules and put accept all outgoing on both
interfaces and all input on internal interface.
What I doing wrong?

# cat
/etc/pf.conf
# macros
int_if=re0
ext_if=rl0

tcp_ext_services={ 22, 443, 51413 }
tcp_int_services={ 22, 53, 80 }
udp_int_services={ 53, 69 }
icmp_types=echoreq

# options
set block-policy drop
set skip on lo

# match rules
pass out quick on egress inet from !(egress:network) to any nat-to
(egress:0)
match in on egress proto tcp from !$int_if to (egress) port 443 \
rdr-to (egress) port 22
# filter rules
block log
antispoof quick for { lo $int_if }
pass in inet proto icmp all icmp-type $icmp_types

# filter rules for (egress)
pass in on egress inet proto tcp from any to (egress) \
port $tcp_ext_services
pass out on egress from (egress)

# filter rules for $int_if
pass in on $int_if proto tcp from $int_if:network to $int_if port
$tcp_int_servi
ces
pass in on $int_if proto udp from $int_if:network to $int_if port
$udp_int_servi
ces
pass in on $int_if from $int_if:network to !$int_if

pass out on $int_if to $int_if:network

Re: match in nat-to rule

2014-05-19 Thread Giancarlo Razzolini 
Em 19-05-2014 14:51, Peter N. M. Hansteen escreveu:
 Alexey Kurinnij alexey.kurin...@gmail.com writes:

 nat-to rule not work if match and work when pass:
 match out quick on egress inet from !(egress:network) to any nat-to
 (egress:0) - not work
 pass out quick on egress inet from !(egress:network) to any nat-to
 (egress:0) - work
 Well, the match would need to be supplemented by a pass rule that
 matches whatever the packet looks like *after* the transformation the
 match rule performs. After the match rule here, the source address is
 whatever (egress:0) works out to be in your system, so you need a pass
 rule that matches that specification.

 And on a side note, the way to untangle stuff like this is to add log
 (matches) to rules for debugging. That will log all rules your packet
 matches after it has matched your logging rule. 

 I have a fairly trivial illustration in the tutorial slides at
 http://home.nuug.no/~peter/pf/newest/log.match.matches.html 

 - Peter
Also, I only use rdr-to in pass rules, not in match. That's because, as
Peter said, you can't always predict what the packet will look like,
after your match rule. In addition to logging, you can always use tags
to control your packet flow. This way you can effectively debug your
ruleset. Also, I'm using pflow(4) with nfsen to capture the flows and
post analyze them.

Cheers,

-- 
Giancarlo Razzolini
GPG: 4096R/77B981BC