On 2014/10/11 09:18, Peter J. Philipp wrote: > On 10/11/14 01:17, Yann Hamon wrote: > > Workaround: > > > > Flushing the state table whenever an IP changes.
Rather than flushing the entire state table, you could keep track of the IP address, watch for changes and kill states associated with the old one: pfctl -k 0.0.0.0/0 -k $old_ip pfctl -k $old_ip -k 0.0.0.0/0 Alternatively you could adjust timers (either with 'set timers' or in the rule with 'keep state (udp.first XX udp.multiple XX) so that these states *do* expire regularly and use rdr-to to direct packets to the phone rather than relying on the nat mapping for this. For this, you probably want to restrict to the provider's call server addresses to avoid passing traffic from the world to your phone.
