This means that address translation is done before filtering on
inbound packets.

Take a look at:

http://coombs.anu.edu.au/~avalon/ipfil-flow.html

For a two-interface firewall you have four chances to filter
packets. Both inbound and outbound on each interface. NAT is
first on inbound and last on outbound. Since most filtering is
done on inbound packets (at least on rulesets that I have seen)
saying that NAT happens first is correct.

As for IPNAT rule order, the man page states that IPNAT rules
are first match and quit. However, a couple of months ago I was
browsing the ipfilter mailing list archive http://false.net/ipfilter/ and
ran across a post by Darren Reed (author of ipf) that said this is
only "sort of" correct. (I can't find that post right now :^( , search
engine for that list sucks). It is a first match and quit order, but it
searches rules with the largest netmask first. So all rules
dealing with single IP addresses (x.x.x.x/32) are processed first.
Since rdr's generally go to a single address, the order of the rules
is not significant.

Bruce

> Sorry to jump in here, but this post peeked the interest of a newbie. (me!)
> You mentioned that IPNAT happens before IPF. Does that mean I don't have to
> have rules in the ipf.rules file to "allow in", say, port 25 or port 80 if
> I am nat'ing them to another machine behind the firewall?
>
>
> > It's not clear whether these rules worked on your 2.8 machine or
> > not.
> >
> > In General:
> >
> > IPNAT rule order.
> >
> > IPNAT rules are first match and quit EXCEPT they are also
> > largest netmask first. This means that all x/32 rules are
> > evaluated before any others. So in your case the order is not
> > important.
> >
> > IPNAT happens before IPF.
> >
> > Change your rules to filter on your private addresses.
> > To verify use ipfstat -hio to see which of your rules are actually
> > being matched.
> >
> > Bruce
> >
> >> I installed the 2.9 snapshot on a machine yesterday, and configures
> >> using the same rules I had applied to a 2.8 machine recently, and am
> >> having serious problems use rdr to send SMTP/www traffice to a machine
> >> on internal network.
> >>
> >> I have simplified the rules as much as possible, but no joy. I've also
> >> read through www.obfuscation.org/ipf without any luck.
> >>
> >> Can someone see what is wrong ?? I have modified the file sysctl.conf
> >> and rc.conf accordingly. All traffic behind the NAT machine works OK,
> >> but when I try to telnet to port 25 from outside i get no response.
> >>
> >> In the ipnat.rules file I tried having the map rules after the rdr
> >> rules, but no luck either way.
> >> /etc/ipnat.rules
> >> map ep0 10.1.1.7/24 -> 123.123.123.123/32 portmap tcp/udp 1025:65000
> >> map ep0 10.1.1.7/24 -> 123.123.123.123/32
> >>
> >> #map ppp0 10.0.0.0/8 -> ppp0/32 portmap tcp/udp 10000:20000
> >> rdr ep0 123.123.123.123/32 port 25 -> 10.1.1.1 port 25
> >> rdr ep0 123.123.123.123/32 port 80 -> 10.1.1.1 port 80
> >> rdr ep0 123.123.123.123/32 port 110 -> 10.1.1.1 port 110
> >> rdr ep0 123.123.123.123/32 port 143 -> 10.1.1.1 port 143
> >> rdr ep0 123.123.123.123/32 port 993 -> 10.1.1.1 port 993
> >>
> >>
> >> /etc/ipf.rules
> >> pass in from any to any
> >> pass out from any to any
> >>
> >> pass in quick on ep0 proto tcp from any to 123.123.123.123/32 port =
> >> 25 keep state
> >> pass in quick on ep0 proto tcp from any to 123.123.123.123/32 port =
> >> 80 keep state
> >> pass in quick on ep0 proto tcp from any to 123.123.123.123/32 port =
> >> 143 keep state
> >> pass out quick on ep0 proto tcp from any to any keep state
> >>
> >
> >
> > -*-*-*-*-*-*-*-*-*-*-*-*-*-
> >
> > All opinions are my own.
> > All advice is worth what you pay for it.
> > A little experience often upsets a lot of theory.
> >
> > -*-*-*-*-*-*-*-*-*-*-*-*-*-
>
>
> --
> Edison Information Technologies
> www.EdisonInfo.com

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]