[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: self-defeating pf?



At 11:13 AM 7/27/2002 -0700, you wrote:
>Thank you,
>
>Yes there are multiple servers involved, that is the reasoning for using
>alternate ports. As for the example from your working implementation, yes
>that would work perfectly well -outbound- as you have it.
>
<sigh>  Not as a slight, but I should have used a better, more simple
example.  
$ManagedNets in that example, are subnets *outside* the firewall.
And where do you see "pass out"?
Clients connect IN from the outside, through a redirect, to the Citrix box
on the inside.

>My point is that creating a rule re-directing packets from the outside
>world is pointless because you have to open a hole in the firewall to
>allow those packets in anyway.
>
	What?  I see no point here.   Really.
Again, why is it pointless to map otherwise unreachable addresses to public
IP space to provide services?
One hole, one port.  If you don't want to do it, don't.  You are not
exposing the whole host's port range.

What are you trying to accomplish anyway?  If you want to give access to
the world there has to be a hole.

>side note; man pf specifically states that you need a filter rule
>allowing the rdr packet in on the external interface.
>
	No kidding.  Gee, that's what *all* of my other rules do too.  No wonder
they work!

>So what makes you say that rdr forces packets to the internal ip?
>
Because the rule says so for that port?  "s/forces/translates to" might be
better.
And it translates at the EXTERNAL interface, where the packet comes *in*.

>If it were true that rdr forces packets to the internal ip, then we
>wouldn't have to write a rule on the external interface explicitly
>allowing the rdr packets in.
>
	But you do!  The packet comes in on the EXTERNAL interface, is
translated/redirected to the INTERNAL address, and *then* compared to the
pf rules.
I think you're being sematically picky here.
The docs describe the process exactly.

Either you've not understood the docs, or are being intentionally obtuse.

Signing off, 

Joseph C. Bender
benderjc (at) benderhome.net   ;   jcbender (at) benderhome.net
This account is used primarily for reading and responding to mailing list
traffic and is not my main mailing address.



Visit your host, monkey.org