- Unison Kernel
- Pthread Cancellation
- Message Queues
- Conditional Variables
- Memory Allocation
- Directory Services
- Unison I/O Library
- Unison STDIO Library
- STDIO Library Calls
- Do-nothing Stubs
- STDIO Library Calls
- Unison LIBC Library
- Unison I/O Servers
- Graphics, Camera, Video, Audio
- Network Protocols
- TCP and UDP Server - tcpd
- DHCP Client Service - dhcp client
- DHCP Server - dhcpd
- Telnet Server - telnetd
- Tiny FTP Server - tftpd
- Point to Point - pppd
- Network Translation - NAT with PAT
- Tiny HTTP Server - thttpd
- Tiny HTTP Server with TLS
- POP3 Server
- Simple Mail Transfer Protocol Services (SMTP)
- Bootp Protocol
- File Transfer Protocol Server (FTP)
- File Transfer Client Services
- RPC / XDR
- DNS Client
- HTTP/HTTPS Client
- REST Client
- AutoIP Service - autoip client
- mDNS server - mdnsd
- SNTP Client
- SNMP Agent - Snmpd server
- SSL/TLS library
- SSH server
- IP security
- Power Control
- Serial I/O
- System Services
- Universal Serial Bus (USB)
- Remedy Tools for Unison
7.8.4.Translation rules: pf.nat
pf.nat – network address translation configuration description for packet filtering
The rules for network address translation specify which addresses are to be mapped and which are to be redirected.
A nat rule specifies that IP addresses are to be changed as the packet traverses the given interface. This technique of network address translation (NAT) allows a single IP address on the translating host to support network traffic for a larger range of machines on an inside network. Although in theory any IP address can be used on the inside, it is strongly recommended that one of the address ranges defined by RFC 1918 be used. These netblocks are:
10.0.0.0 - 10.255.255.255 (all of net 10, i.e., 10/8) 172.16.0.0 - 172.31.255.255 (i.e., 172.16/12) 192.168.0.0 - 192.168.255.255 (i.e., 192.168/16)
A binat rule specifies a bidirectional map between an external IP address and an an internal IP address.
An rdr rule specifies an incoming connection to be redirected to another host and optionally a different port.
Note that all translation rules apply only to packets that pass through the specified interface. For instance, redirecting port 80 on an external interface to an internal web server will only work for connections originating from the outside. Connections to the address of the external interface from local hosts will not be redirected, since such packets do not actually pass through the external interface. Redirections can’t reflect packets back through the interface they arrive on, they can only be redirected to hosts connected to different interfaces or to the firewall itself.
Also note that all translations of packets occur before the filter rules (see pf.filtering) are evaluated. Hence, ‘pass in’ rules for redirected packets should specify the address/port after translation.
Syntax for NAT rules in BNF:
rule = [ "no" ] ( nat_rule | binat_rule | rdr_rule ) . nat_rule = "nat" "on" [ "!" ] ifname [ protospec ] "from" ipspec "to" ipspec [ "->" address ] . binat_rule = "binat" "on" ifname [ protospec ] "from" address "to" ipspec [ "->" address ] . rdr_rule = "rdr" "on" [ "!" ] ifname [ protospec ] "from" ipspec "to" ipspec [ portspec ] [ "->" address [ portspec ] ] . protospec = "proto" ( number | "tcp" | "udp" | "icmp" ) . ipspec = "any" | host . host = [ "!" ] address [ "/" mask-bits ] . portspec = "port" number [ ":" ( "*" | number ) ] .
Comments begin with the character ‘#’; empty lines are ignored. Rules are processed in the order read, one rule per line. The first matching rule is applied. Rules prefixed with “no” lead to no translation. Such rules can be used to exclude certain connections from being translated.
An ifname is a network interface such as eth0, wifi0 and etc. address can be specified in CIDR notation (matching a netblock) or as symbolic interface name. Host name resolution and interface to address translation are done at rule set load-time. When the address of an interface (or host name) changes (by DHCP or PPP, for instance), the rule set must be reloaded for the change to be reflected in the tcp-server. If specified, mask-bits refers to the number of bits in the net- mask. The negation character, ‘!’, may be used before an ifname or an address. The protocol specification is optional. If it is omitted, the rule applies to packets of all protocols.
rdr rules can optionally specify port ranges instead of single ports.
'rdr ... port 2000:2999 -> ... port 4000' – redirects ports 2000 to 2999 (including port 2000 and 2999) to the same port 4000.
'rdr ... port 2000:2999 -> ... port 4000:*' – redirects port 2000 to 4000, 2001 to 4001, …, 2999 to 4999.
In the example below, ppp0 is configured for the 192.168.168.1; the machine translates all packets coming from 192.168.168.0/24 to 184.108.40.206 when they are going out any interface except ppp0. This has the net effect of making traffic from the 192.168.168.0/24 network appear as though it is the Internet routeable address 220.127.116.11 to nodes behind any interface on the router except for the nodes on ppp0. (Thus, 192.168.168.1 can talk to the 192.168.168.0/24 nodes.)
nat on ! ppp0 from 192.168.168.0/24 to any -> 18.104.22.168
In the example below, eth0 is the outside interface; the machine sits between a fake internal 144.19.74.* network, and a routable external IP of 22.214.171.124. The “no nat” rule excludes protocol AH (51) from being translated.
no nat on eth0 proto 51 from 126.96.36.199/24 to any nat on eth0 from 188.8.131.52/24 to any -> 184.108.40.206
In the example below, eth0 is the outside interface; a 1:1 bidirectional map is created between the private address 192.168.1.5 and the routable external address 220.127.116.11. (Thus, incoming traffic to 18.104.22.168 is mapped to the internal address 192.168.1.5.)
binat on eth0 from 192.168.1.5 to any -> 22.214.171.124
This longer example uses both a NAT and a redirection. Interface wifi0 is the outside interface, and its external address is 126.96.36.199. Interface eth0 is the inside interface, and we are running thread listening for outbound ftp sessions captured to port 8081.
# NAT # translate outgoing packets' source addresses (any protocol) # in my case, any address but the gateway's external address is mapped # nat on wifi0 from ! 188.8.131.52 to any -> 184.108.40.206 # BINAT # translate outgoing packets' source address (any protocol) # translate incoming packets' destination address to an internal machine # (bidirectional) binat on wifi0 from 10.1.2.150 to any -> 220.127.116.11 # RDR # translate incoming packets' destination addresses # as an example, redirect a TCP and UDP port to an internal machine # NOTE: the lines below are split for readability # rdr on wifi0 proto tcp from any to 18.104.22.168/32 port 8080 \ -> 10.1.2.151 port 22 rdr on wifi0 proto udp from any to 22.214.171.124/32 port 8080 \ -> 10.1.2.151 port 53 # RDR # translate outgoing ftp control connections to send them to localhost # for capturing with thread's socket running on port 8081 rdr on eth0 proto tcp from any to any port 21 -> 127.0.0.1 port 8081
There is a demo available for the Unison and DSPnano pf.nat which is found in installdir/demos.