Subject: Question about ipf and ipnat
To: None <firstname.lastname@example.org>
From: Seth Kurtzberg <email@example.com>
Date: 10/07/2001 22:08:07
Does any know the order of application of NAT rules and IPF rules? That is,
does address translation occur before or after the application of IPF rules?
It appears that for outgoing packets, filter rules are applied to the address
before NAT is applied; that is, the untranslated address needs to be used in
the IPF rules. This works well.
I haven't been able to determine exactly how to construct the input rules,
however. Do I use the translated address on the filter rules?
To be clear, I have a web server which is 184.108.40.206. Internally it is
192.168.1.3. For the output filter, I have a rule:
pass out from 192.168.1.3/32 port = 80 to any group 100
which works. The packets arriving at my test machine (connected to my DMZ
between the NETBSD machine and my border gateway) show a source address of
220.127.116.11, which is correct.
For the corresponding input filter rule, do I use:
pass in from any to 18.104.22.168/32 port = 80 group 100
or should I be using:
pass in from any to 192.168.1.3/32 port = 80 group 100
The packets for this path actually are diverted to a transparent proxy in a
firewall, but this firewall is on the other side of the machine where I am
setting the filter rules, and operates transparently. That is, I have a two
stage firewall, and the packets are diverted on the inner firewall, but the
question is about the filter rules on the outer firewall which is unaware of
the existence of the inner firewall (except that routes go through the inner
firewall, of course). As the output filter rule works as expected, I don't
think any configuration of the inner firewall is relevant to this question,
but I include the information just in case.
Thanks in advance...
Machine Independent Software
Office: (480) 661-1849
Fax: (480) 614-8909
pager: 888-605-9296 or email firstname.lastname@example.org