PF how it works

Hi all,

I am studying about PF rules. Now going through them. Just need some clarification.

Code:
block in all
pass out all keep state

Assume that there are two interfaces (em0->external) and (em1-internal network). My pf.conf has above two rules. In these rules, no mention of interfaces, so to which interfaces, these rules are applicable.

Thanks for your help.
 
They apply to both interfaces. It blocks any traffic coming in on both em0 andem1. Outgoing traffic on either interface is permitted.

These rules are convenient for a single workstation or server but not for a router or firewall.
 
I use those 2 basic rules when I set up a new desktop and set up pf is the first thing I do. Then run freebsd-update fetch.

Once I'm done I switch to my own ruleset but have used the basic rules for days at a time with no problem. I've posted mine a couple times if you're interested.
 
Thank you for help.

Another clarification from below nat rule:
Code:
nat on em0 inet from em1:network to any -> em0

Here, there are two interfaces (em0->external interface) and (em1-internal network).

From above the rule, how i can understand "em1:network" part followed after "from"(
from em1:network) and
"any" keyword.

From my understanding, "em1:network" represents (internal interface card)

Can you clarify this?
 
Another thing i want to you that where can I get Freebsd pf grammar For OpenBsd it is available.But not for this.Can you provide me link
 
From pf.conf(5):
Code:
           Addresses can be specified in CIDR notation (matching netblocks),
           as symbolic host names, interface names or interface group names,
           or as any of the following keywords:

           any             Any address.
Code:
           Interface names and interface group names can have modifiers
           appended:

           :network      Translates to the network(s) attached to the
                         interface.
 
em1:network is the network connecting to interface em1 while any literally means any IP address.

To clarify, if your em1 interface has the IP address 192.168.12.34/24 then the em1:network is 192.168.12.0/24; the entire subnet.

PS: where are you getting this code from? That "arrow" for the NAT rule looks like the old notation which, I believe, is end-of-support.
 
em1:network is the network connecting to interface em1 while any literally means any IP address.

To clarify, if your em1 interface has the IP address 192.168.12.34/24 then the em1:network is 192.168.12.0/24; the entire subnet.

PS: where are you getting this code from? That "arrow" for the NAT rule looks like the old notation which, I believe, is end-of-support.

This i got from pfsense notations
 
That "arrow" for the NAT rule looks like the old notation which, I believe, is end-of-support.
It might be on OpenBSD's PF, it's not on FreeBSD. Keep in mind that FreeBSD's PF is rather old compared to OpenBSD's. If I recall correctly FreeBSD's PF is based on PF from OpenBSD 4.7.
 
1) it was asked to clarify below thing:

"from em1:network" part I understood like this , There is a packet coming to em1 interface from internal network and that packet contains source address which is from any one from set of em1:network block.

is that understanding correct or not?.

2) Second thing is:(traffic from eternal to internal nating)
--------------------
<code>
nat on em1 inet from em0:network to any -> em1
</code>

Here:
em0=External
em1= Internal

The part "from em0:network", is this considered as a
a) source address in packet (or)
b) packet is coming from em0 (nic) to internal network,

Main thing is that how can i understand 'from' keyword in the context of nat rule.
 
that packet contains source address which is from any one from set of em1:network block.

is that understanding correct or not?.
Yes, correct.

The part "from em0:network", is this considered as a
a) source address in packet (or)
b) packet is coming from em0 (nic) to internal network,
Only a) is true. It doesn't matter where it came from as the rule is defined on the outgoing interface so only applies to outgoing traffic on the em1 interface that matches the from..to filter. That said, you should not have em0:network source traffic coming in on any other interface than em0, anti-spoofing rules should prevent that.
 
Yes, correct.


Only a) is true. It doesn't matter where it came from as the rule is defined on the outgoing interface so only applies to outgoing traffic on the em1 interface that matches the from..to filter. That said, you should not have em0:network source traffic coming in on any other interface than em0, anti-spoofing rules should prevent that.

In that case, from this
<code>
nat on em1 inet from em0:network to any -> em1
</code>

nating rule, from "em0:network" part can be skipped . Is it correct?
 
Yes, you could remove it. The filter on NAT rules is really only useful if you have to NAT different sources with different addresses for example.

Example:
Code:
nat on em1 from 192.168.10.0/24 to any -> (em1:0)
nat on em1 from 192.168.11.0/24 to any -> (em1:1)

Traffic with source address in the range 192.168.10.0/24 will be translated to the first address on em1, traffic with source 192.168.11.0/24 will be translated to the second address of em1.
 
Another doubt:
In this redirection rule:

em0(192.168.10.0/24): external interface,
em1(192.168.56.40/24): interface interface
<code>
nat on em0 from 192.168.56.42/24 to any -> 192.168.10.0
nat on em1 from 192.168.10.0/24 to any -> 192.168.56.40
rdr on em0 proto tcp from any to any port 8080 -> 192.168.56.42
pass in all
pass out all
</code>

Understood the nat concept. Want to know more on rdr but i have a little idea on rdr concept that is redirect the packet coming from external interface with dst port 8080 to service running on 192.168.56.42 with port 8080.

doubt is in this "from any to any port 8080" what is role of any keyword.
How nat , rdr and pass work together when packet enters into firewall from external interface?

Thank you all for your help
 
How nat , rdr and pass work together when packet enters into firewall from external interface?
Rules are processed after NAT or redirections are done.

Simple example:
Code:
nat on em0 from any to any -> (em0)  # this is for outgoing traffic
rdr on em0 from any to any port 8080 -> 192.168.56.42  # this is for incoming traffic
In order to create a rule for this you need to account for the fact that the destination address is translated by the redirection before the rules are processed.
Code:
pass in on em0 from any to 192.168.56.42 port 8080

If there's a em1 interface connected to 192.168.56.0/24 you would also need a rule to allow the traffic going out on the internal interface:
Code:
pass out on em1 from any to 192.168.56.42 port 8080
 
Rules are processed after NAT or redirections are done.

Simple example:
Code:
nat on em0 from any to any -> (em0)  # this is for outgoing traffic
rdr on em0 from any to any port 8080 -> 192.168.56.42  # this is for incoming traffic
In order to create a rule for this you need to account for the fact that the destination address is translated by the redirection before the rules are processed.
Code:
pass in on em0 from any to 192.168.56.42 port 8080

If there's a em1 interface connected to 192.168.56.0/24 you would also need a rule to allow the traffic going out on the internal interface:
Code:
pass out on em1 from any to 192.168.56.42 port 8080

1. Suppose both nat and rdr rules are mentioned. Then in this case, strictly first nat and followed by rdr rules are executed on each packet (or) order is not matter in case of nat or rdr rules execution.

2) This is my understanding of rules which are metioned in previous post:

Example packet with following address and port details entered into a firewall through em0(192.168.10.0/24) external interface:
<code>
10.182.0.102 = external system ip
192.168.10.0= em0 of firewall
source addr(10.182.0.102) | sourceport (34342) |dst addr(192.168.10.0 ) | dst port (8080)
</code>

3)
Then, the following rdr rule is applied to this packet and it is translated into this following format:
<code>
rdr on em0 from any to any port 8080 -> 192.168.56.42 # this is for incoming traffic
</code>
Translated packet after passing through above rdr rule:
<code>
Entered packet:
source addr(10.182.0.102) | sourceport (34342) |dst addr(192.168.10.0 ) | dst port (8080)
</code>
In the above example packet,only dst address will be replaced with this address 192.168.56.42
<code>
Translated packet:
192.168.10.0 --> 192.168.56.42
source addr(10.182.0.102) | sourceport (34342) |dst addr(192.168.56.42 ) | dst port (8080)
</code>

Note : if my assumption is wrong,then after applying rdr rule,how above packet will be translated with respective source adddress and dst address fields

4) then below pass in rule is applied on translated packet, then this packet matches below rule and allowed to go the em1 interface or what ?. ( Here only i need clarification)

Code:
pass in on em0 from any to 192.168.56.42 port 8080

5) i assume that translated packet passed above "pass in " rule ,next "pass out " is applied on ,again the packet translated packet into another translated form like this or what?

<code>
Translated packet:
source addr(10.182.0.102) | sourceport (34342) |dst addr(192.168.56.42 ) | dst port (8080)
</code>

Now after applying "pass out on em1" rule, source address is replaced with ip address of em1 interface or what ?

Here ,em1 address is :192.168.56.40/24 (mentioned earlier

<code>
second time translated packet:
10.182.0.102 ->192.168.56.40
source addr(192.168.56.40) | sourceport (34342) |dst addr(192.168.56.42 ) | dst port (8080)
</code>
 
Direction of the traffic is important here. NAT is for outgoing traffic, redirection is for incoming traffic. The direction of the traffic flow defines if it's NAT or a redirection, not both. At least not when both are defined on the same interface. Better put, nat on .. is source address translation and rdr on ... is destination address translation. You can do both simultaniously but it will have to be defined on different interfaces (redirection on the incoming interface and NAT on the outgoing interface).
 
Direction of the traffic is important here. NAT is for outgoing traffic, redirection is for incoming traffic. The direction of the traffic flow defines if it's NAT or a redirection, not both. At least not when both are defined on the same interface. Better put, nat on .. is source address translation and rdr on ... is destination address translation. You can do both simultaniously but it will have to be defined on different interfaces (redirection on the incoming interface and NAT on the outgoing interface).

You can do both simultaniously but it will have to be defined on different interfaces (redirection on the incoming interface and NAT on the outgoing interface).

What is (redirection on the incoming interface and NAT on the outgoing interface)?.
incoming interface?
outgoing interface?

I got little bit and trying to understand.

thank you for your help
 
Rules are processed after NAT or redirections are done.

Simple example:
Code:
nat on em0 from any to any -> (em0)  # this is for outgoing traffic
rdr on em0 from any to any port 8080 -> 192.168.56.42  # this is for incoming traffic
In order to create a rule for this you need to account for the fact that the destination address is translated by the redirection before the rules are processed.
Code:
pass in on em0 from any to 192.168.56.42 port 8080

If there's a em1 interface connected to 192.168.56.0/24 you would also need a rule to allow the traffic going out on the internal interface:
Code:
pass out on em1 from any to 192.168.56.42 port 8080

Hi,
Going through this reply. got some doubt.
1) rdr rule replaces the dest address of incoming packet on em0 with 192.168.56.42 .This concept is clear
2) After this, source address of the packet , will be replaced by a which rule?
3) after replacement of source and dest address in the packet ,then only above pass in and pass out rules will be applied or what ?
 
Hi all,

Whatever you suggested in rules , I have written them and tested .They all are working.
Thank you for that.

Few things I want to know.

1. Is pass in and pass out related to inbound and outbound traffic on (external interface)?
2. Then in that case, what about pass in and pass out on (internal interface) in the context of firewall.

3. Only then pass in applied on external interface(em0), traffic moves to gateway or internal interface network card(em1) directly?

4. with nating rules and rdr rules, if we use pass in all and pass out all what happens?
 
Back
Top