[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NAT and dynamic addressing



On Fri, Jul 12, 2002 at 04:12:02PM -0700, Richard P. Koett wrote:
> > > $Ext_If="ep1"
> > > $Ext_Addr="x.x.x.x/32"
> > > $Int_Net="192.169.1.0/24"
> > > nat on $Ext_If from $Int_Net to any -> ($Ext_If)
> > > 
> > > I can also do either of these (for example):
> > > 
> > > rdr on $Ext_If proto udp from any to $Ext_If port domain \
> > >       -> 192.168.1.1 port domain
> > > 
> > >    or
> > > 
> > > rdr on $Ext_If proto udp from any to ep1 port domain \
> > >       -> 192.168.1.1 port domain
> > > 
> > > However, I cannot do either of these:
> > > 
> > > rdr on $Ext_If proto udp from any to ($Ext_If) port domain \
> > >       -> 192.168.1.1 port domain
> > > 
> > >    or
> > > 
> > > rdr on $Ext_If proto udp from any to (ep1) port domain \
> > >       -> 192.168.1.1 port domain
> > > 
> > > The preceeding two examples result in:
> > > 
> > > /etc/pf.conf:26: address family (inet/inet6) undefined
> > 
> > isn't that clear?
> 
> Regrettably, no. As I understood it, the only difference between
> "rdr on $Ext_If proto udp from any to ep1 port domain \
>        -> 192.168.1.1 port domain"
> and 
> "rdr on $Ext_If proto udp from any to (ep1) port domain \
>       -> 192.168.1.1 port domain"
> is that with "ep1" the value is set when the rules are loaded
> and with "(ep1)" the value changes when the interface gets
> a new address (?)

okay. i try to explain it. You did not specify the address family. ep1 most
probably has IPv4 and IPv6 addresses. As we don't expand rules to multiple
rules in the kernel as we do in userland, the rules must be clear. So, you
need to specify the address family, that's all.
well, as you are redirecting to an IPv4 address this is clear. If I'm not
mistaken my recent changes to the interface expansion at parse time inlcude
a fix for that.

> > rdr on $Ext_If inet proto udp from any to (ep1) port domain \
> >       -> (ep1) port domain
> > 
> > works.
> I'm a bit confused by this one as well. ep1 is my external interface,
> I want to redirect port "domain" to an internal box (192.168.1.1).   

sorry, my fault.

> > nat.conf is gone in -current.
> Thanks Henning. I did know that but thought that the syntax shown
> for rdr is still valid. 

well, the syntax for (interface) wasn't shown in nat.conf at all. as this
happens inside the kernel some things are a bit different.
we do know that pf.conf(5) could be better, and there are changes on the way.

-- 
http://2suck.net/hhwl.html
Unix is very simple, but it takes a genius to understand the simplicity.
(Dennis Ritchie)



Visit your host, monkey.org