[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

PF NAT Address Pool Source Interface



All:

It may seem rudimentary, but no where in the FAQ or man pages is it explicitly stated that the source address or address pool of a NAT translation must be assigned to an interface.

Obviously it can be either be a primary address (such as 99.9% of the PAT configurations on the Internet) or a series of IP Aliases assigned.

Further more, It doesn't actually state or recommend which interface the translated addresses should be assigned. Technically, it's irrelevant. In practice, it depends greatly on the overall network configuration (specifically, routing). As long as other hosts in the network know a discrete route to the subnet of the translated hosts via any interface on the device doing the translation.

The translation occurs to the packet's source address as it leaves the outbound interface (the one explicitly defined to the right of the "->" in the pf.conf(5) rule), so one might casually assume to assign the pool/address there; however in my tests, I've found that It can be assigned to the same interface as the subnet being translated.

However, if a translation rule in pf.conf(5) exists but the destination address/pool (the address to be translated to, not the optional destination CIDR mask), OpenBSD will still happily transmit a translated packet out an interface with a source address foreign to that segment / whatever media.

Even if other hosts receive a packet and reply to it, they won't be able to ARP for it, and if they could, the original OpenBSD box will drop the reply with destination host/network unreachable (obviously).

Wouldn't a better behavior to prevent the transmission of the packet in the same way the a socket cannot bind to a source port/ip if it is not assigned to an interface?

Thoughts?

TIA,
BAS