Subject: Re: IPF and NAT
To: Pavel Cahyna <pavel@netbsd.org>
From: Michael Gorsuch <michael.gorsuch@gmail.com>
List: netbsd-users
Date: 12/29/2006 19:35:25
Thank you very much, Pavel. I shouldn't have missed that. I'll look
harder next time.
On 12/29/06, Pavel Cahyna <pavel@netbsd.org> wrote:
> On Fri, Dec 29, 2006 at 02:43:01PM -0500, Michael Gorsuch wrote:
> > I'm trying to troubleshoot a few issues with my IPFiltar / NAT
> > configuration over here, and am curious: at which point does that NAT
> > translation take place?
> >
> > Is it immediately before sending the packet out?
> >
> > What about when you use 'bimap'? When does the incoming packet get translated?
>
> it is explained in /usr/share/examples/ipf/nat-setup:
>
> Filtering with NAT.
> -------------------
> IP Filter will always translate addresses in a packet _BEFORE_ it checks its
> access list for inbound packets and translates addresses _AFTER_ it has
> checked the access control lists for outbound packets.
>
> For example (using the above NAT rules), if you wanted to prevent all hosts
> in the 10.1.2.0/24 subnet from using NAT, you might use the following rule
> with ipf:
>
> block out on ppp0 from 10.1.2.0/24 to any
> block in on ppp0 from any to 10.1.2.0/24
>
> and use these with ipnat:
>
> map ppp0 10.1.0.0/16 -> 209.23.1.0/28 portmap tcp/udp 10000:40000
> map ppp0 10.1.0.0/16 -> 209.23.1.0/28 portmap
>