openbsd pf received-on

OpenBSD的安装、升级、更新等日常问题。

版主: chenjun天地乾坤

回复
openbsdsir008
铁 Fe
帖子: 80
注册时间: 2014-03-20 16:19

openbsd pf received-on

帖子 openbsdsir008 » 2014-06-20 18:02

RDR-TO and NAT-TO Combination

With an additional NAT rule on the internal interface, the lacking source address translation described above can be achieved.

pass in on $int_if proto tcp from $int_net to $ext_if port 80 \
rdr-to $server
pass out on $int_if proto tcp to $server port 80 \
received-on $int_if nat-to $int_if
This will cause the initial packet from the client to be translated again when it's forwarded back through the internal interface, replacing the client's source address with the firewall's internal address. The internal server will reply back to the firewall, which can reverse both NAT and RDR translations when forwarding to the local client. This construct is rather complex as it creates two separate states for each reflected connection. Care must be taken to prevent the NAT rule from applying to other traffic, for instance connections originating from external hosts (through other redirections) or the firewall itself. Note that the rdr-to rule above will cause the TCP/IP stack to see packets arriving on the internal interface with a destination address inside the internal network.

pf faq 中的这几段话想要说明的意思是什么?
应用这样的规则想达到的目的是什么?
把我弄晕了
received-on 起什么作用?

头像
acheng
锌 Zn
帖子: 581
注册时间: 2011-07-07 21:52

Re: openbsd pf received-on

帖子 acheng » 2014-06-20 23:31

With an additional NAT rule on the internal interface, the lacking source address translation described above can be achieved.
也就是说,它接下来的这段主要是介绍如何以及为什么使用“RDR-TO” + “NAT-TO”能够实现源地址翻译(SNAT)的功能。

在它前面的“Redirection and Reflection”一段,介绍了没有SNAT会出现什么问题:
But the source address has not been translated, and still contains the local client's address, so the server sends its replies directly to the client. The firewall never sees the reply and has no chance to properly reverse the translation. The client receives a reply from a source it never expected and drops it. The TCP handshake then fails and no connection can be established.
received-on用于指定从哪个网口接收的数据包

回复

在线用户

正浏览此版面之用户: 没有注册用户 和 0 访客