# How to manage a "nat/rdr" part of PF.



## bryn1u (May 8, 2014)

Hey,

I have a role of PF:

```
IP_PUB="37.187.x.x"
IP_JAIL="192.168.0.1"
NET_JAIL="192.168.0.0/24"
PORT_JAIL="{80,31337,21}"

nat pass on em0 from $NET_JAIL to any -> $IP_PUB
rdr pass on em0 proto tcp from any to $IP_PUB port $PORT_JAIL -> $IP_JAIL

block in all
pass on em0 proto tcp from any to any port 22
```
And i still can connect with jail on ports 80,31337,21. Port 31337 is a ssh port. How can i manage with ports, IPs when i redirected ? I cloned "lo0" interfeace for jail. My ifconfig:

```
em0: .............never mind .............

lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
        inet 127.0.0.1 netmask 0xff000000
        nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
lo1: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
        inet 192.168.0.2 netmask 0xffffffff
        inet 192.168.0.3 netmask 0xffffffff
        inet 192.168.0.1 netmask 0xffffffff
        nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
```

Someone can tell for an example how to block 31337 port on lo0/lo01 ? I'd be very gratefull


----------



## SirDice (May 8, 2014)

bryn1u said:
			
		

> ```
> rdr pass on em0 proto tcp from any to $IP_PUB port $PORT_JAIL -> $IP_JAIL
> ```


Because of the pass keyword this rule also creates a pass rule to allow the traffic. The above line is the same as doing:

```
rdr on em0 proto tcp from any to $IP_PUB port $PORT_JAIL -> $IP_JAIL
pass in on em0 from any to $IP_JAIL port $PORT_JAIL
```


----------



## bryn1u (May 8, 2014)

Thank you!


----------

