Some questions about pf and nat

I

IcePic

Hi everybody,

I am trying to port my iptables rules from my linux box to my new FreeBSD router (yeah). I want unrestricted access from my internal net (192.168.1.1/24) to the internet, but block all ports from the internal net to the router except ssh. Local traffic on the router shold not be allowed to leave the box.

I am using pf, my conf looks something like this. (Mainly taken from "The book of pf").

Code: 
#Devives
ext_if = "tun0"
int_if = "vr1"

localnet = $int_if:network

#nat
nat on $ext_if from $localnet to any -> ($ext_if)

#filter
block  all 

#allow access to the internet
pass from $localnet to any keep state

#Allow ssh on router from internal net
pass in proto tcp from $localnet to $int_if port 22

This does not work. I can't ping from my router to the internet (ping http://www.google.de). That is the right behaviour. But I cannot ping to the internet from the lan either. When I add the rule "pass out all" it works on all boxes but should not possible on the router.

To state my problem more precisely: with iptables under linux I have in, out and forward rules. How can I emulate forward rules with pf?
 
Try something like this:
Code: 
block all
skip on lo0
pass in on $int_if from $localnet to any keep state
pass in on $int_if proto tcp from $localnet to $int_if port 22
 
Hi,

I will try these rules this evening, but as far I understand pf this rule
Code: 
pass in on $int_if from $localnet to any keep state
already allows traffic on the ssh port from the internal net on the router, doesn't it?
 
Something like this...
Traffic from lan to internet (NAT) allowed (except ssh)
ssh from lan to internal router IP allowed.
Everything else denied. However, you probably will need a rule that allows traffic from router to ISP, otherwise you won't even establish the pptp session.

Code: 
#Devices
ext_if = "tun0"
int_if = "vr1"

localnet = "192.168.1.1/24"

#exclude ssh port from translation to internet (example)
no nat on $ext_if from $localnet to any port ssh

# nat, no further rules will be applied to translated packets
nat pass on $ext_if from $localnet to any -> ($ext_if)

#filter
block all

#allow traffic from internal net to internet
pass in from $localnet to !$int_if

#allow ssh from intranet
pass in on $int_if inet proto tcp from $localnet to $int_if port ssh
 
Ok now it works. Here my /etc/pf.conf:

Code: 
ext_if = "tun0"
int_if = "vr1"

localnet = $int_if:network
set skip on lo

nat pass on $ext_if from $localnet to any -> ($ext_if)

block  all
pass from $localnet to !$int_if keep state

After adding pass it works as I expect it.

But can someone explain me the difference between
Code: 
nat [B]pass[/B] on $ext_if from $localnet to any -> ($ext_if)
and
Code: 
nat on $ext_if from $localnet to any -> ($ext_if)
 
Found it in the documentation

If the pass modifier is given, packets matching the translation rule are
passed without inspecting the filter rules:
Click to expand...

Anyway thank you for help, it is working now :)
 
You must log in or register to reply here.
Back
Top