Re: Hiding NATs with PF

From: Max Bolingbroke (batterseapower_at_hotmail.com)
Date: 09/29/05 

Date: 28 Sep 2005 16:55:37 -0700

Simon Farnsworth wrote:
> On the other hand, make it, and you have the potential to completely trash
> their routing, to the point that they have to send someone round with a
> laptop to work out which segment is confusing things.

Very true :). Just so I know what to avoid, would a pf rule causing
this sort of problem look something like this:

rdr on $int_if proto tcp from any to any port 80 -> $some_external_ip

I have a feeling that this is wrong. It also seems a bit contrived. Is
there some subtler way I could introduce this behaviour accidently?

> Incidentally, I used to know an admin of a university network with the same
> policy. His view on it was that unofficially, they didn't go looking for
> breaches of this rule, but if a security incident brought it to their
> attention, you were *toast* (as in facing the risk of being thrown out
> altogether). I would guess that you're in a similar situation, so bear that
> risk in mind, and get your configs *right* first time :)

Duly noted :)

Thanks a lot for your help,

Max