One other thing we will be talking about quite a lot are 'inner' and 'outer' addresses, 'routable' and 'non-routable' addresses. This is, at the heart of things, not directly related to firewalls or packet filtering, but due to the way the world works today, we will need to touch on it.

It all comes from the time in the early 1990s when somebody started calculating the number of computers which would be connected to the Internet if the commercialization continued and the great unwashed masses of consumers were to connect at the same time.

At the time the Internet protocols were formulated, computers were usually big, expensive things which would normally serve a large number of simultaneous users, each at their own more or less dumb terminal. Under any circumstances, the only ones allowed to connect were universities and a number of companies with Pentagon contracts. Essentially 32 bit addresses of 4 octets would go an extremely long way. It would accommodate literally millions of machines, even.

Then Internet commercialization happened, and all of a sudden there were actually millions of small, inexpensive machines wanting to connect at the same time. This kind of development showed every sign of continuing and even accelerating. This meant that the smart people who had made the net work, needed to do another few pieces of work. They did a few things more or less at the same time. For one, they started working on a solution based on a larger address space - this has been dubbed IP version 6, or IPv6 for short - which uses 128 bit addresses. This has been designated as the long term solution. I thought I'd mention at this point that IPv6 support is built into OpenBSD by default, and PF has as far as I know always contained IPv6 support[1]. If you need to filter on traffic belonging to both address families, you differentiate by designating inet for rules that apply to IPv4 traffic and inet6 for rules that apply to IPv6 traffic. The examples in this document were originally written for an IPv4-only setting, but most of the material here will apply equally to both address families.

In addition, some sort of temporary solution was needed. Making the world move to addresses four times the size would take considerable time. The process is as far as we can see still pretty much in an early stage. They found a temporary solution, which consists of two parts. One part was a mechanism to offer the rest of the world 'white lies' by letting the network gateways rewrite packet addresses, the other was offered by designating some address ranges which had not been assigned earlier for use only in networks which would not communicate directly with the Internet at large. This would mean that several different machines at separate locations could have the same local IP address. But this would not matter because the address would be translated before the traffic was let out to the net at large.

If traffic with such "non routable" addresses were to hit the Internet at large, routers seeing the traffic would have a valid reason to refuse the packets to pass any further.

This is what is called "Network Address Translation", sometimes referred to as "IP masquerade" or similar. The two RFCs which define the whats and hows of this are dated 1994 and 1996 respectively [2].

There may be a number of reasons to use the so called "RFC 1918 addresses", but traditionally and historically the main reason has been that official addresses are either not available or practical.



But even with the point at which the unassigned ranges of IPv4 addresses is about to run out only months away, IPv6 adoption is still in the early stages. And as luck would have it as more people are starting to look at the newer generation protocols in earnest, issues are discovered, some with potentially serious security implications such as the ICMP6 design flaw which generated some controversy in early 2007.


The two documents are RFC 1631, "The IP Network Address Translator (NAT)", dated May 1994 and RFC 1918, "Address Allocation for Private Internets", dated February 1996. See the Chapter called References