Port-macppc archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Applying Filtering on NAT'd Packets

On Mon, 26 Aug 2013, at 11:39:34 -0500, Dani Tekeste wrote:
>Hello, I was hoping I can get some help on this. 
>I'm trying to block some packets which I have already applied NAT on but it 
>does not seem to be working. Is there a way to filter packets after applying 
>Here is what I'm doing. 
>nat pass on en0 from to ->
>block drop out on en0 inet proto tcp from port=55555 to 


By using the "pass" option in the first line, you've explicitly told
pf not to apply filtering to those NATed packets. As the pf.conf(5)
man page states: "If the pass modifier is given, packets matching
the translation rule are passed without inspecting the filter
rules." (See the "Translation Examples" section of the man page.)

If your goal was to minimize latency by skipping filtering on most
NATed addresses, then you could rewrite the first line to stop at and have a new rule for just that
excludes the "pass" option. (I do find the subnet you've expressed
a little confusing to read, as it overlaps with the translated
address. The behaviour may not be as you expect given
is on both sides of the NAT instruction, but I can't say for sure.)

(As an aside, you'd do best to post these sorts of questions to a
mailing list that's not port-specific. netbsd-users or current-users
would be better choices of lists for this topic.)



Home | Main Index | Thread Index | Old Index