# Some questions about pf and nat



## IcePic (Mar 20, 2011)

Hi everybody,

I am trying to port my iptables rules from my linux box to my new FreeBSD router (yeah). I want unrestricted access from my internal net (192.168.1.1/24) to the internet, but block all ports from the internal net to the router except ssh. Local traffic on the router shold not be allowed to leave the box.

I am using pf, my conf looks something like this. (Mainly taken from "The book of pf").


```
#Devives
ext_if = "tun0"
int_if = "vr1"

localnet = $int_if:network

#nat
nat on $ext_if from $localnet to any -> ($ext_if)

#filter
block  all 

#allow access to the internet
pass from $localnet to any keep state

#Allow ssh on router from internal net
pass in proto tcp from $localnet to $int_if port 22
```

This does not work. I can't ping from my router to the internet (ping http://www.google.de). That is the right behaviour. But I cannot ping to the internet from the lan either.  When I add the rule "pass out all" it works on all boxes but should not possible on the router.

To state my problem more precisely: with iptables under linux I have in, out and forward rules. How can I emulate forward rules with pf?


----------



## SirDice (Mar 21, 2011)

Try something like this:

```
block all
skip on lo0
pass in on $int_if from $localnet to any keep state
pass in on $int_if proto tcp from $localnet to $int_if port 22
```


----------



## IcePic (Mar 21, 2011)

Hi,

I will try these rules this evening, but as far I understand pf this rule 
	
	



```
pass in on $int_if from $localnet to any keep state
```
 already allows traffic on the ssh port from the internal net on the router, doesn't it?


----------



## SirDice (Mar 21, 2011)

It would, yes.


----------



## hedgehog (Mar 21, 2011)

Something like this... 
Traffic from lan to internet (NAT) allowed (except ssh)
ssh from lan to internal router IP allowed.
Everything else denied. However, you probably will need a rule that allows traffic from router to ISP, otherwise you won't even establish the pptp session.


```
#Devices
ext_if = "tun0"
int_if = "vr1"

localnet = "192.168.1.1/24"

#exclude ssh port from translation to internet (example)
no nat on $ext_if from $localnet to any port ssh

# nat, no further rules will be applied to translated packets
nat pass on $ext_if from $localnet to any -> ($ext_if)

#filter
block all

#allow traffic from internal net to internet
pass in from $localnet to !$int_if

#allow ssh from intranet
pass in on $int_if inet proto tcp from $localnet to $int_if port ssh
```


----------



## IcePic (Mar 21, 2011)

Ok now it works. Here my /etc/pf.conf:


```
ext_if = "tun0"
int_if = "vr1"

localnet = $int_if:network
set skip on lo

nat pass on $ext_if from $localnet to any -> ($ext_if)

block  all
pass from $localnet to !$int_if keep state
```

After adding pass it works as I expect it. 

But can someone explain me the difference between 

```
nat [B]pass[/B] on $ext_if from $localnet to any -> ($ext_if)
```
and 

```
nat on $ext_if from $localnet to any -> ($ext_if)
```


----------



## IcePic (Mar 21, 2011)

Found it in the documentation



> If the pass modifier is given, packets matching the translation rule are
> passed without inspecting the filter rules:



Anyway thank you for help, it is working now


----------

