Re: [Fwbuilder-discussion] Question about PF NAT Compiler Rule Printer + NAT Rule Types

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

On Mar 24, 2009, at 4:08 PM, Tom Judge wrote:

>
> Hi,
>
> Could someone please explain what the print_range_end field is  
> intended
> for in the following function:
>
>
> void NATCompiler_pf::PrintRule::_printPort(Service *srv, bool
> print_range_end);
>
> From the function definition it seems that its used for open ended  
> port
> ranges?

yes, for things like

rdr proto tcp from any to 22.22.22.22 port 10000:11000 -> 192.168.1.10  
port 10000:*

The NNN:* construct is allowed on the right hand side of the "->" but  
not on the left side.

>
> Also some comments on each of the following (From libfwbuilder ->  
> NAT.h)
> would be appreciated.  I am trying to work out a problem with the NAT
> compiler when dealing with tags in PF and am unsure of the criteria  
> that
> match each of these rule types.
>
>
> typedef enum { Unknown,
>                   NONAT,
>                   SNAT,
>                   Masq,
>                   DNAT,
>                   SDNAT,
>                   SNetnat,
>                   DNetnat,
>                   Redirect ,
>                   Return ,
>                   Skip ,
>                   Continue ,
>                   LB }  NATRuleTypes;
>

not all NAT types defined in the enum can be implemented for PF.  
However here are the brief descriptions:

NONAT - self-explanatory

SNAT - "source nat", after corresponding target in iptables. NAT rule  
translates source address

Masq: - "masquerading", not used for PF, used for iptables.

DNAT - "destination nat", also after corresponding target in iptables.  
NAT rule translates destination address

SDNAT - kind of  nat rule that translates both source and destination

SNetnat - translates source address network to network, I dont think  
it is used for PF

DNetnat - similar to SNetnat but for destination

Redirect - redirection rule, destination translation when translated  
destination is firewall itself

Return - used internally, especially with iptables where compiler  
creates chains in the nat table

Skip - not used for pf

Continue - internally used for nat rules with negation

LB - for nat rules that do load balancing

hole this helps
--vk