 Re: intelligence of PF in dealing with a changing ip address?
On Mon, 22 Dec 2003 12:13:58 GMT, "Sameer" <ssnewsgroups@hotmail.com>
wrote:
>say you have an openbsd firewall... that has a wan connection directly
>connected to the internet, which gets it's IP address through DHCP (cable
>modem scenario).
>
>say you want to put filter rules on that changing interface. does this pose
>a problem because of the changing IP address... or is OpenBSD smart enough
>to know that the address changes if you apply the rule to the interface and
>not an ip address?
>
>i know in reading the PF FAQ it mentions the following about NAT:
>
>----------
>"When specifying an interface name for the translation address as above, the
>IP address is determined at pf.conf load time, not on the fly. If you are
>using DHCP to configure your external interface, this can be a problem. If
>your assigned IP address changes then NAT will continue translating outgoing
>packets using the old IP address. This will cause outgoing connections to
>stop functioning. To get around this, you can tell PF to automatically
>update the translation address by putting parentheses around the interface
>name:
> nat on tl0 from dc0/24 to any -> (tl0)
>There is one major limitation to doing this: Only the first IP alias on an
>interface is evaluated when the interface name is placed in parentheses."
>
>----------
>
>i don't understand that last line, but i do understand where you have
>dynamically assigned addresses, you should put the interface in ()'s.
>
>there's no mention about anything, as far as i've come across, that mentions
>anything about what to do about rules when you dealing with an interface
>that has a changing IP address. i'd assume you'd simply specify the
>interface alone, and OpenBSD would figure out what IP address to apply the
>rules to... or something like this.
>
>if i'm wrong can you please let me know where i mixed up my assumption, and
>if i'm right, can you give a supporting statement, because it will help to
>educate some others who say that it's impossible for a device to figure out
>what ip address to assign a rule to on it's own.
Since packets are processed by NAT before rule evaluation you never
have to worry about a changing address in the actual (filter) rules.
And here is the supporting statement from the pf.conf man page:
"
TRANSLATION
Translation rules modify either the source or destination address
of the packets associated with a stateful connection. A stateful
connection is automatically created to track packets matching such a
rule as long as they are not blocked by the filtering section of
pf.conf. The translation engine modifies the specified address and/or
port in the packet, recalculates IP, TCP and UDP checksums as
necessary, and passes it to the packet filter for evaluation.
Translation occurs before filtering.
"
 |