Re: npf, map and pass stateful out all

To: Greg Troxel <gdt%lexort.com@localhost>
Subject: Re: npf, map and pass stateful out all
From: Rocky Hotas <rockyhotas%firemail.cc@localhost>
Date: Tue, 20 Oct 2020 16:49:36 +0200

On ott 20  9:03, Greg Troxel wrote:

> I am not an pf expert, but...

Don't worry, me neither :).

> > As it is written here, and exactly as Martin said in a previous
> > thread, `pass stateful out all' ``allows the packet to go out, and
> > also creates a NAT state entry so any answers are allowed back in''.
> 
> This creates a state entry.   That is a record that packets with some
> protocol, srcaddr/port, dstaddr/port when out, and this creates implicit
> rules that will allow the reverse packets back in.  It does not
> configure NAT.

You got the point. Yes, and I can confirm this. ``Also creates a NAT''
confused me. Maybe Martin was only meaning that the connection is
tracked, but not that an actual NAT is created. NAT can only be created
through `map'.

I put `map $ext_if dynamic $localnet -> $ext_if' in npf.conf. Then, I
considered the `SSH_CLIENT' env variable for two ssh connections from
different hosts in a LAN connected to the gateway, to a host which is
outside $ext_if. In both cases, the env variable showed the IP address
of the gateway. This did not happen without the `map' line: in that
case, `SSH_CLIENT' had the LAN IP of the host where I started the ssh
connection (so, they were different in the two connections).

> Yes.  That does, and it probably doesn't create a state entry - just
> maps the outgoing packet.  Or if it does create state, that state
> probably won't allow an incoming packet (when there is a block all in
> rule).

I am not able to say which of the two options is the right one, but
(using the same ssh example as above), the host outside $ext_if, without
a `pass stateful out all' is not reachable.

ssh: connect to host <host_IP> port 22: Network is unreachable

> > Given the `map' line which creates a NAT, is `pass stateful out all'
> > (which allows any packet creating a NAT) really necessary? A NAT has
> > already been created with `map'.
> 
> I believe it is.

Yes, I can confirm this.

> Absolutely.   A firewall that does not do NAT is a very sensible
> concept.  You are only configuring NAT becuase you don't have real
> addresses on your LAN (you and ~everybody else at home).

Exactly.
Thank you!

Rocky

References:
- npf, map and pass stateful out all
  - From: Rocky Hotas
- Re: npf, map and pass stateful out all
  - From: Greg Troxel

Prev by Date: Re: PR 55714
Next by Date: MAC addresses
Previous by Thread: Re: npf, map and pass stateful out all
Next by Thread: MAC addresses
Indexes:

Home | Main Index | Thread Index | Old Index