NAT applied before Firewall ruleset?
-
I just wanted to pop in here and confirm this as being an expected behavior from the pros.
Lets assume this setup:
WAN: 1.2.3.4
LAN: 192.168.1.0/24
Lets say I create a PAT/NAT rule that forwards port 81 from the WAN to an internal webserver on port 80, thus looking like: 1.2.3.4:81 -> 192.168.1.100:80
Now lets say I want to deny 4.3.2.1 from accessing my server. So I create a firewall rule that denies 4.3.2.1 from accessing port 81 on my WAN interface.
From the test I just did, the traffic is still allowed through. The firewall log shows allowing a connection from 4.3.2.1 to a destination of port 80. The NATing on the WAN seems to be unknown to the firewall function. This makes me assume that pfSense is applying all NAT rules before firewall rules.
From my understanding, this is an incorrect behavior, am I completely mixed up? -
NAT happens before firewall rules. You can't filter on the "WAN" address if that same port has been forwarded in to a local system.
If the packet matches the NAT rule, the translation happens, and the filter only picks up on the IP:PORT specified as the target of the NAT.
That is the correct and intended behavior.
-
To just to make sure, is this intended behavior specific to pfSense/M0n0wall?
I can't seem to reproduce this on other firewall platforms, just wanted to be 100%. -
It's specific to pf, the packet filter we use, which comes from FreeBSD which brings it in from OpenBSD.
m0n0wall uses ipfilter, which is different.
Others might use ipfw, ipchains/iptables, etc. They can all act differently, you need to check the docs for each one to find out the expected order of operations.
