[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PF and passing traffic from RFC 1918 addresses in on external interface

> Does pf drop traffic incoming on the external interface from RFC 1918
> address by default, even if the ruleset says to pass in all, pass out all?


> Excerpts from pf.conf:
> nat on fxp1 from to any ->
> pass in all
> pass out all

Excerpts? Why? Are we to guess what else might be in there?

So you are trying to access nat'd hosts from outside the nat boundary. That 
won't work if the excerpt of your pf.conf is accurate wrt translation rules. 
When you disable pf it works because you also disable nat.

You need to selectively nat only traffic bound for destinations NOT on your 
internal WAN. Otherwise a ping to would arrive OK, but the 
response would be subjected to translation and appear to come from the 
gateway's external address. So, I guess something like:

no nat on fxp1 from to <any internal subnets>
nat on fxp1 from to any ->