[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openbsd-pf
Subject:    Re: RDR/NAT/BINAT order again
From:       Daniel Hartmeier <daniel () benzedrine ! cx>
Date:       2003-07-31 8:34:06
[Download RAW message or body]

On Thu, Jul 31, 2003 at 12:41:45PM +0800, NortonNg wrote:

> I read some articles which mention about RDR/NAT/BINAT order . According to
> http://mniam.net/pf/pf.png , the order would be :
> 
> incoming: RDR->BINAT
> outgoing: BINAT->NAT

Yes, that's right.

> if i have the following requirement:
> 211.1.1.1 port 80 redirect to 192.168.1.1 : 80,
> 211.1.1.2 port 21 redirect to 192.168.1.1 : 21
> 192.168.1.1 outgoing traffic will be nated src to 211.1.1.2
> 211.1.1.3 mapping to 192.168.1.1

The last two contradict for outgoing connections, you have to specify
whether you want outgoing connections from 192.168.1.1 to get their
source address translated to 211.1.1.2 OR 211.1.1.3.

If you want 211.1.1.3, just remove the nat rule.

If you want 211.1.1.2, you effectively want the binat rule only to
translate incoming connections, so replace it with an rdr rule:

  rdr on fxp0 inet from any to 211.1.1.3 -> 192.168.1.1

which will translate incoming connections' destination address for all
ports, leaving the destination port unchanged.

So, you can do both, depending on what you want. The current order
doesn't prevent you from expressing either way.

> Imaging that ftp client (active mode) connect to 211.1.1.2 port 21, but the
> data port is initialized from 211.1.1.3 port 20 because of binat rule, that
> will break the ftp data connection!!!!

So it seems you want the source translated to 211.1.1.3, then remove the
nat rule. No need to change code in pf.

> Do i make mistake? If you change the order to RDR->NAT->BINAT order, will
> this break other pf mechanism?

It wouldn't break a mechanism, but it would change semantics, breaking
other people's existing rulesets. As long as a change is not required,
don't change semantics :)

Daniel

[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic