NetBSD-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: npf, map and pass stateful out all

Rocky Hotas <> writes:

I am not an pf expert, but...

> As it is written here, and exactly as Martin said in a previous
> thread, `pass stateful out all' ``allows the packet to go out, and
> also creates a NAT state entry so any answers are allowed back in''.

This creates a state entry.   That is a record that packets with some
protocol, srcaddr/port, dstaddr/port when out, and this creates implicit
rules that will allow the reverse packets back in.  It does not
configure NAT.

> But also this line enables NAT:
> map $ext_if dynamic $localnet -> $ext_if

Yes.  That does, and it probably doesn't create a state entry - just
maps the outgoing packet.  Or if it does create state, that state
probably won't allow an incoming packet (when there is a block all in

> So, assume that my npf.conf has:
> map $ext_if dynamic $localnet -> $ext_if
> group (name "external", interface $ext_if) {
> 	pass stateful out all
> }

That seems to be how you do it.  (I am not clear on where you put the
"block in all", or if npf is paranoid enough that it's default.  That's
not a request for help; I am in the middle of reading the docs for my
own purposes.)

> Given the `map' line which creates a NAT, is `pass stateful out all'
> (which allows any packet creating a NAT) really necessary? A NAT has
> already been created with `map'.

I believe it is.

> Or, viceversa, with `pass stateful out all', is `map' really
> necessary?

Absolutely.   A firewall that does not do NAT is a very sensible
concept.  You are only configuring NAT becuase you don't have real
addresses on your LAN (you and ~everybody else at home).

Attachment: signature.asc
Description: PGP signature

Home | Main Index | Thread Index | Old Index