5

NAT and source IP filtering in PF, using OpenBSD >= 4.7

view full story
linux-howto

http://unix.stackexchange.com – I just read a book about PF (The Book Of PF, No Starch), but there's one question not answered by it. If I have a gateway machine using two interfaces, $int_if and $ext_if, and I NAT the packages coming from $int_if:net (which is, let's say, 10.0.0.0/24) to $ext_if using match, when gets the NAT applied? Before or after the filtering rules? Example: match out on $ext_if from 10.0.0.0/24 nat-to ($ext_if) pass out on $ext_if from 10.0.0.0/24 block drop out on $ext_if from 10.0.0.23 Does that work? Or gets the source IP of a packet coming from 10.0.0.23 NATed to the address of $ext_if before (HowTos)