Rules are processed
after NAT or redirections are done.
Simple example:
Code:
nat on em0 from any to any -> (em0) # this is for outgoing traffic
rdr on em0 from any to any port 8080 -> 192.168.56.42 # this is for incoming traffic
In order to create a rule for this you need to account for the fact that the destination address is translated by the redirection
before the rules are processed.
Code:
pass in on em0 from any to 192.168.56.42 port 8080
If there's a
em1 interface connected to 192.168.56.0/24 you would also need a rule to allow the traffic going out on the internal interface:
Code:
pass out on em1 from any to 192.168.56.42 port 8080
1. Suppose both nat and rdr rules are mentioned. Then in this case, strictly first nat and followed by rdr rules are executed on each packet (or) order is not matter in case of nat or rdr rules execution.
2) This is my understanding of rules which are metioned in previous post:
Example packet with following address and port details entered into a firewall through em0(192.168.10.0/24) external interface:
<code>
10.182.0.102 = external system ip
192.168.10.0= em0 of firewall
source addr(10.182.0.102) | sourceport (34342) |dst addr(192.168.10.0 ) | dst port (8080)
</code>
3)
Then, the following rdr rule is applied to this packet and it is translated into this following format:
<code>
rdr on em0 from any to any port 8080 -> 192.168.56.42 # this is for incoming traffic
</code>
Translated packet after passing through above rdr rule:
<code>
Entered packet:
source addr(10.182.0.102) | sourceport (34342) |dst addr(192.168.10.0 ) | dst port (8080)
</code>
In the above example packet,only dst address will be replaced with this address 192.168.56.42
<code>
Translated packet:
192.168.10.0 --> 192.168.56.42
source addr(10.182.0.102) | sourceport (34342) |dst addr(192.168.56.42 ) | dst port (8080)
</code>
Note : if my assumption is wrong,then after applying rdr rule,how above packet will be translated with respective source adddress and dst address fields
4) then below pass in rule is applied on translated packet, then this packet matches below rule and allowed to go the em1 interface or what ?. ( Here only i need clarification)
Code:
pass in on em0 from any to 192.168.56.42 port 8080
5) i assume that translated packet passed above "pass in " rule ,next "pass out " is applied on ,again the packet translated packet into another translated form like this or what?
<code>
Translated packet:
source addr(10.182.0.102) | sourceport (34342) |dst addr(192.168.56.42 ) | dst port (8080)
</code>
Now after applying "pass out on em1" rule, source address is replaced with ip address of em1 interface or what ?
Here ,em1 address is :192.168.56.40/24 (mentioned earlier
<code>
second time translated packet:
10.182.0.102 ->192.168.56.40
source addr(192.168.56.40) | sourceport (34342) |dst addr(192.168.56.42 ) | dst port (8080)
</code>