confusing problem with PF + NAT + filter_rule

M

Mohsen_Moradgholi

hello my dear,
after very study of PF firewall ,i decided run it in simple wireless network:

_____________
/ /
[WiFi_client]-----wlan0--/ PF+NAT /--re0-----[PublicNet]
/____________/

and this is pf.conf:
Code: 
ext_if="re0"
int_if="wlan0"
client="192.168.1.200"

altq on wlan0 cbq bandwidth 2Mb queue { std, client_queue }
	queue std    priority 3 bandwidth 1024Kb cbq(default)
	queue client_queue    priority 7 bandwidth 256Kb cbq(borrow)

# nat rules for local network
nat on $ext_if from $int_if:network to any -> ($ext_if)

# filter rules for $int_if inbound
block in on $int_if all
pass  in on $int_if from $int_if:network

# filter rules for $int_if outbound
block out on $int_if all
pass  out on $int_if from any to $int_if:network
pass  out on wlan0 from any to $client queue client_queue

but PF can't send $client traffic to client_queue...!
my confusing problem with PF is that below configuration can send $client traffic to client_queue:
Code: 
ext_if="re0"
int_if="wlan0"
client="192.168.1.200"

altq on wlan0 cbq bandwidth 2Mb queue { std, client_queue }
	queue std    priority 3 bandwidth 1024Kb cbq(default)
	queue client_queue    priority 7 bandwidth 256Kb cbq(borrow)

# nat rules for local network
nat on $ext_if from $int_if:network to any -> ($ext_if)

# filter rules for $int_if inbound
block in on $int_if all
pass  in on $int_if from $int_if:network
pass  in on $int_if from $client to any queue client_queue

# filter rules for $int_if outbound
block out on $int_if all
pass  out on $int_if from any to $int_if:network
#pass  out on wlan0 from any to $client queue client_queue

best regards , please guide me...
 
Mohsen_Moradgholi said:
hello my dear,
after very study of PF firewall ,i decided run it in simple wireless network:
and this is pf.conf:
Code: 
pass  in on $int_if from $int_if:network
pass  out on wlan0 from any to $client queue client_queue

but PF can't send $client traffic to client_queue...!
my confusing problem with PF is that below configuration can send $client traffic to client_queue:
Click to expand...

This is because PF is a stateful firewall, you have to think in terms of "connections":

When your $client starts a "connection", a state is created to allow the reply to return to $client. States are checked before rules, if a state matches, then the rules are not evaluated. This means that the rule "pass out on wlan0 from any to $client queue client_queue" is never evaluated if $client initiates the connection and is useless. It will be useful if you want to allow someone to connect to $client.

Regards.
 
You must log in or register to reply here.
Back
Top