match in nat-to rule
nat-to rule not work if match and work when pass: match out quick on egress inet from !(egress:network) to any nat-to (egress:0) - not work pass out quick on egress inet from !(egress:network) to any nat-to (egress:0) - work Today I install 5.5 and copy old pf.conf to new system, and remove queuing rules, but NAT not work with this config. I remove all restriction rules and put accept all outgoing on both interfaces and all input on internal interface. What I doing wrong? # cat /etc/pf.conf # macros int_if=re0 ext_if=rl0 tcp_ext_services={ 22, 443, 51413 } tcp_int_services={ 22, 53, 80 } udp_int_services={ 53, 69 } icmp_types=echoreq # options set block-policy drop set skip on lo # match rules pass out quick on egress inet from !(egress:network) to any nat-to (egress:0) match in on egress proto tcp from !$int_if to (egress) port 443 \ rdr-to (egress) port 22 # filter rules block log antispoof quick for { lo $int_if } pass in inet proto icmp all icmp-type $icmp_types # filter rules for (egress) pass in on egress inet proto tcp from any to (egress) \ port $tcp_ext_services pass out on egress from (egress) # filter rules for $int_if pass in on $int_if proto tcp from $int_if:network to $int_if port $tcp_int_servi ces pass in on $int_if proto udp from $int_if:network to $int_if port $udp_int_servi ces pass in on $int_if from $int_if:network to !$int_if pass out on $int_if to $int_if:network
Re: match in nat-to rule
Em 19-05-2014 14:51, Peter N. M. Hansteen escreveu: Alexey Kurinnij alexey.kurin...@gmail.com writes: nat-to rule not work if match and work when pass: match out quick on egress inet from !(egress:network) to any nat-to (egress:0) - not work pass out quick on egress inet from !(egress:network) to any nat-to (egress:0) - work Well, the match would need to be supplemented by a pass rule that matches whatever the packet looks like *after* the transformation the match rule performs. After the match rule here, the source address is whatever (egress:0) works out to be in your system, so you need a pass rule that matches that specification. And on a side note, the way to untangle stuff like this is to add log (matches) to rules for debugging. That will log all rules your packet matches after it has matched your logging rule. I have a fairly trivial illustration in the tutorial slides at http://home.nuug.no/~peter/pf/newest/log.match.matches.html - Peter Also, I only use rdr-to in pass rules, not in match. That's because, as Peter said, you can't always predict what the packet will look like, after your match rule. In addition to logging, you can always use tags to control your packet flow. This way you can effectively debug your ruleset. Also, I'm using pflow(4) with nfsen to capture the flows and post analyze them. Cheers, -- Giancarlo Razzolini GPG: 4096R/77B981BC