Rocky Hotas <rockyhotas%firemail.cc@localhost> writes:
I am not an pf expert, but...
> As it is written here, and exactly as Martin said in a previous
> thread, `pass stateful out all' ``allows the packet to go out, and
> also creates a NAT state entry so any answers are allowed back in''.
This creates a state entry. That is a record that packets with some
protocol, srcaddr/port, dstaddr/port when out, and this creates implicit
rules that will allow the reverse packets back in. It does not
configure NAT.
> But also this line enables NAT:
>
> map $ext_if dynamic $localnet -> $ext_if
Yes. That does, and it probably doesn't create a state entry - just
maps the outgoing packet. Or if it does create state, that state
probably won't allow an incoming packet (when there is a block all in
rule).
> So, assume that my npf.conf has:
>
> map $ext_if dynamic $localnet -> $ext_if
>
> group (name "external", interface $ext_if) {
> pass stateful out all
> }
That seems to be how you do it. (I am not clear on where you put the
"block in all", or if npf is paranoid enough that it's default. That's
not a request for help; I am in the middle of reading the docs for my
own purposes.)
> Given the `map' line which creates a NAT, is `pass stateful out all'
> (which allows any packet creating a NAT) really necessary? A NAT has
> already been created with `map'.
I believe it is.
> Or, viceversa, with `pass stateful out all', is `map' really
> necessary?
Absolutely. A firewall that does not do NAT is a very sensible
concept. You are only configuring NAT becuase you don't have real
addresses on your LAN (you and ~everybody else at home).
Attachment:
signature.asc
Description: PGP signature