Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: Giancarlo Razzolini (linux-fanonda.com.br)
Date: Tue Sep 02 2008 - 12:24:26 CDT
Stefan Sczekalla escreveu:
> I'm somewhat uncertain on how NAT behaves especially on nearly
> concurrent rules.
> assumption: ( ext_if has two addresse e.g. 18.104.22.168 and and ALIAS
> 22.214.171.124 )
> nat pass on $ext_if form $internal_networks to 192.168.47.11 ->
> nat pass on $ext_if form $internal_networks to any -> ( $ext_if )
> ( how ) Can I bee sure that 192.168.47.11 will always be conncted from
> 126.96.36.199 ?
> will PF behave differently when the oder of the rules is vice-versa ?
> Kind regards,
The pf.conf man page states this, when talking about the evalution
of translation rules:
"Evaluation order of the translation rules is dependent on the type of
the translation rules and of the direction of a packet. binat rules are
always evaluated first. Then either the rdr rules are evaluated on an
inbound packet or the nat rules on an outbound packet. Rules of the
same type are evaluated in the same order in which they appear in the
ruleset. *The first matching rule decides what action is taken.*"
Also, you are using the *pass* modifier. This means that, if a
packet match the rule, it will not be processed further by filter rules.
You must keep in mind that *every* packet that match a translation
rule, will create an implicit state. If you take a look at the pf states
with pfctl -ss -vvv, you can see the states and also to which ip address
they translated to. This way you can ensure your rules are working
correctly. But i don't recommend the use of the *pass* modifier unless
you know exactly what you're doing.
Linux User 172199
Red Hat Certified Engineer no:804006389722501
Moleque Sem Conteudo Numero #002
Ubuntu 8.04 Hardy Heron
4386 2A6F FFD4 4D5F 5842 6EA0 7ABE BBAB 9C0E 6B85