ok. freebsd pf knowing people. Is there a way to say "nat for this range _except_ for this host" ?

@sungo What's the use case, you're blocking that host from going to the internet through the NATed interface? In that case, I think NATing the range and then adding a block statement for that host might work, just make sure the block rule happens last (or you use quick).

@ToroidalCore I'm back to pf after a long time away so I'm also very much monkey smashing bananas against keyboard tonight.

The full picture is that I have a little network with a couple boxes on it. One of those boxes can't be trusted with the outside world. I want to NAT the internal network _except_ for that host but let it still access services on the firewall (dns, dhcp, etc)

@sungo I see. I think what you could do is...
*Pass in everything on the firewall's internal NIC, on its network
*Block traffic from the untrusted host on that NIC
*Allow traffic from the untrusted host to whatever services on the firewall
*NAT rule

I *think* that should just allow the host to access the ports you want, but traffic going anywhere else would get blocked, even if the whole subnet would get NATed. The untrusted host wouldn't hit the NAT rule.

@ToroidalCore ah ok. I think I see what you're saying. My brain always gets twisted by ordering in pf.

@sungo Remember that the last match is the one that applies, unless you use the 'quick' keyword.

Also, I'm redoing my pf.conf, and I've been referring to this, again for OpenBSD, but it might give you some ideas:

@ToroidalCore excellent. thank you so much. I suspect this is freebsd vs openbsd but whoo boy does freebsd pfctl not like the nat rule being last

@sungo Yeah, I think PF was ported, and then they changed it a bunch and the syntax kind of got frozen in time for FreeBSD. You should be able to pluck the NAT stuff out of their documentation, the key is just to pass everything, block the host, then allow services.

As an aside, you might want to think about throwing that host on another subnet (VLAN or other NIC). You can still route to it from your main one, but it might make it easier to contain.

@ToroidalCore thanks for all the help. I greatly appreciate it :)

@sungo Disclaimer: I'm using OpenBSD for my firewall, syntax may be different. Maybe like this?

pass in on $lan
block in drop on $lan from $untrusted
pass in on $lan port 22 from $untrusted
pass out on $lan inet keep state

pass out on $ext from $lan:network to any nat-to ($ext)

Sign in to participate in the conversation

This is a single-user instance, namely for @sungo