[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
PF NAT Address Pool Source Interface
- To: misc_(_at_)_openbsd_(_dot_)_org
- Subject: PF NAT Address Pool Source Interface
- From: "Brian A. Seklecki" <lavalamp_(_at_)_spiritual-machines_(_dot_)_org>
- Date: Mon, 5 Dec 2005 10:40:31 -0500 (EST)
It may seem rudimentary, but no where in the FAQ or man pages is it
explicitly stated that the source address or address pool of a NAT
translation must be assigned to an interface.
Obviously it can be either be a primary address (such as 99.9% of the PAT
configurations on the Internet) or a series of IP Aliases assigned.
Further more, It doesn't actually state or recommend which interface the
translated addresses should be assigned. Technically, it's irrelevant.
In practice, it depends greatly on the overall network configuration
(specifically, routing). As long as other hosts in the network know a
discrete route to the subnet of the translated hosts via any interface on
the device doing the translation.
The translation occurs to the packet's source address as it leaves the
outbound interface (the one explicitly defined to the right of the "->" in
the pf.conf(5) rule), so one might casually assume to assign the
pool/address there; however in my tests, I've found that It can be
assigned to the same interface as the subnet being translated.
However, if a translation rule in pf.conf(5) exists but the destination
address/pool (the address to be translated to, not the optional
destination CIDR mask), OpenBSD will still happily transmit a translated
packet out an interface with a source address foreign to that segment /
Even if other hosts receive a packet and reply to it, they won't be able
to ARP for it, and if they could, the original OpenBSD box will drop the
reply with destination host/network unreachable (obviously).
Wouldn't a better behavior to prevent the transmission of the packet in
the same way the a socket cannot bind to a source port/ip if it is not
assigned to an interface?
Visit your host, monkey.org