NAT and port aliases
Could not find this elsewhere - apologies if it is.
Just moving one of our firewalls to version 2 (2.0-BETA4 (i386) built on Thu Sep 2 23:07:04 EDT 2010 FreeBSD 8.1-RELEASE) and am setting up the NAT stuff. If I set a NAT rule up using an alias for the port it works if the ports are not being translated ie same ports on the external interface as are being used on the internal server but fails with a syntax error if the ports are being translated.
For example, if I set up an alias for my FTP with ports 21, 5100:5200 and use this for both the Dest ports and the NAT Ports then everything is fine.
However, if I use an alias for only one (Dest or NAT) then it fails with a syntax error - exact error generated by trying to translate https (443) to port 9180 - can use https in the port drop down but have to use 9180 in the NAT - can not use an alias that has a value of 9180.
On latest snapshot 2.0-BETA4 (i386) built on Mon Sep 6 22:04:59 EDT 2010 there does not seem to be a way to edit the redirect target port at all if you used a port alias in it. Only way to change it is to select one of the predefined ports from the dropdown, anything else is changed back to the port alias on save.
Please post screenshots or config.xml otherwise this is just a tale spoken in techy slang :)
No useful information in this post to be used for trouble shooting.
Brain failure - should know better by now :)
Attached are a working and not working NAT definition and the definition of the alias that is being used.
When it fails the error generated in the log is:-
There were error(s) loading the rules: /tmp/rules.debug:216: syntax error
pfctl: Syntax error in config file: pf rules not loaded The line in question reads : rdr on bge0_vlan16 proto tcp from any to $SecureEEMExternal port 443 -> $SecureEEMInternal port $TEEMPort
Let me know if anything else would be helpful
![NAT Port Forward Working.gif](/public/imported_attachments/1/NAT Port Forward Working.gif)
![NAT Port Forward Working.gif_thumb](/public/imported_attachments/1/NAT Port Forward Working.gif_thumb)
![NAT Port Forward Not Working.gif](/public/imported_attachments/1/NAT Port Forward Not Working.gif)
![NAT Port Forward Not Working.gif_thumb](/public/imported_attachments/1/NAT Port Forward Not Working.gif_thumb)
Ok, I have a port alias "test_ports" that is a single port 10000.
I have a port forward of "test_ports" on WAN interface redirected to a host on my LAN to port "test_ports" and there is an automatically created filter rule associated with this port forward.
First picture is the port forward I have opened for editing and I have just changed the redirect target port to 12345 from "test_ports". Second picture is after pressing save and you can see that the "Nat Ports" column for the last NAT rule has not changed to 12345 as it should have.
Currently it is supposed to only allow you to use the same alias for destination ports and redirect target ports and nothing else when you use a port alias, however there is no input validation to enforce this, as far as I know. The back-end could be changed to resolve the alias so that the error does not occur. However, this could only work for aliases with a single port or a single range, since there does not appear to be a way for the redirection port field in rules.debug to accept anything beyond that.
I've put in a fix for this, though it has limitations. If you use an alias for redirect target port and destination port is not using that same alias, it can only use the first port or port range for redirect target port.