Go Back   DaemonForums > FreeBSD > FreeBSD General

FreeBSD General Other questions regarding FreeBSD which do not fit in any of the categories below.

Thread Tools Display Modes
  #1   (View Single Post)  
Old 30th April 2009
nimnod's Avatar
nimnod nimnod is offline
New User
Join Date: Feb 2009
Posts: 7
Default PF rdr pass question


A piece of my pf.conf:
rdr pass on $ext_if proto tcp from <friends> to ($ext_if) port 80 -> $tgtserv port 8000

block log all

pass out quick on $ext_if proto tcp from any to $tgtserv port 8000
Why do I still have to have this filter rule? Otherwise this traffic is blocked on the outgoing part. It seems to me, pass keyword on rdr rules applies only to incoming part of the rule, not the whole of it.
Reply With Quote
  #2   (View Single Post)  
Old 30th April 2009
DutchDaemon's Avatar
DutchDaemon DutchDaemon is offline
Real Name: Ben
Spam Refugee
Join Date: Jul 2008
Location: Rotterdam, The Netherlands
Posts: 336

They are two separate actions. The 'rdr pass' rule allows connections to port 80 (in other words: no additional filter rules are involved or consulted) and triggers the redirection (translation), the second 'pass out' rule concerns the subsequent 'new' translated connection, caused by the redirection. Sure, it feels like you're doing the same thing twice, but to pf, these are two entirely separate entitities which need their own rules.
Reply With Quote
  #3   (View Single Post)  
Old 1st May 2009
J65nko J65nko is offline
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,503

This behaviour is clearly documented in the pf man page
     Translation rules modify either the source or destination address of the
     packets associated with a stateful connection.  A stateful connection is
     automatically created to track packets matching such a rule as long as
     they are not blocked by the filtering section of pf.conf.  The transla-
     tion engine modifies the specified address and/or port in the packet, re-
     calculates IP, TCP and UDP checksums as necessary, and passes it to the
     packet filter for evaluation.

     Since translation occurs before filtering the filter engine will see
     packets as they look after any addresses and ports have been translated.
     Filter rules will therefore have to filter based on the translated ad-
     dress and port number.  Packets that match a translation rule are only
     automatically passed if the pass modifier is given, otherwise they are
     still subject to block and pass rules.

     The state entry created permits pf(4) to keep track of the original ad-
     dress for traffic associated with that state and correctly direct return
     traffic for that connection.
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
external drive partition question + fdisk question gosha OpenBSD General 15 15th June 2009 02:00 PM

All times are GMT. The time now is 07:38 AM.

Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2018, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick