4

I am wondering when a packet reaches an interface and I have some PF rules, which gets checked first, the routing table or the ruleset?

ext_if = "em0"  
int_if = "em1" 
localnet = $int_if:network
VPN_if = 172.16.0.110

nat log on $ext_if from any to any -> ($ext_if)
rdr pass log on $ext_if proto tcp from !($ext_if) to any port 1:65000\
        -> $VPN_if port 2500
pass log from { lo0, $localnet } to any keep state
nawar
  • 63
  • 5

1 Answers1

4

In FreeBSD the firewalls (IPF, IPFW, and PF) sit between the Device Driver and the IP Stack.
Routing is part of the IP Stack.

Chris S
  • 77,337
  • 11
  • 120
  • 212
  • so if i have a redirect rule in my PF ruleset that doesnt comply with the routing table, the PF rules wins? – nawar Jan 02 '14 at 12:54
  • PF Redirect just changes the destination IP of a packet, it doesn't route the packet. – Chris S Jan 02 '14 at 13:56
  • Thanks. So I have a BSD machine that runs NATing using PF. After de-nating, I want to force some packets to be routed to a machine in the LAN behind the NAT machine while not messing with the packet. Can PF help in achieving that? – nawar Jan 02 '14 at 14:33
  • I'm not following... Perhaps explain the situation surrounding this? – Chris S Jan 02 '14 at 15:21
  • I am developing a VPN app running on a BSD server (lets call it V) and mobile clients (M). The clients send packets with private IPs. I also have a NATing server using PF (N). M sends requests to V, which forwards the traffic to N, which then NATs and send the traffic to the internet. When N reverses the NATing, the packet's destination is private and doesn't belong to this LAN. I want to redirect this traffic using PF to V again to send the traffic to M through the established tunnel. Can redirection rules work here? I hope this clarifies the situation. Thanks! – nawar Jan 02 '14 at 15:53
  • So N doesn't know how to route to V? Just add a new route in the normal routing table. The PF rule should just translate the packet's destination address (redirect). Don't forget that V has to route back trough V so the redirection can be undone on the way back out, else you'll end up with the hairpin problem. – Chris S Jan 02 '14 at 19:45
  • Thanks Chris. N knows how to route to V but not M. V knows how to route to M though because there is a tunnel between them. I want all the traffic that doesn't belong to N to go to V on a specific interface. I have added my PF rules in that question. I suspect that my redirect rule is faulty. I would appreciate if you help me with it. I also don't understand what you mean by 'V has to route back through V.' – nawar Jan 06 '14 at 11:18
  • any thoughts about how to do that? – nawar Jan 10 '14 at 16:24