Hi,
I just encounter a stange biavior with the bi-nat rules. Since we optimize
our firewall script via multiple anchor for our thousand of bi-nat rule, we
don't use the bi-nat rule but instead use the 2 rules in different anchor.
Exemple:
anchor out on $ext_if from 192.168.0.0/16 {
anchor out on $ext_if from 192.168.0.0/24 {
match out on $ext_if inet from 192.168.0.1 to any nat-to
X.Y.Z.1 static-port
match out on $ext_if inet from 192.168.0.2 to any nat-to
X.Y.Z.2 static-port
}
}
anchor in on $ext_if to X.Y.Z.0/20 {
anchor in on $ext_if to X.Y.Z.0/24 {
match in on $ext_if inet from any to X.Y.Z.1 rdr-to 192.168.0.1
match in on $ext_if inet from any to X.Y.Z.2 rdr-to 192.168.0.2
}
We just found that by adding the in rules before the out rules in the pf
script, only the incoming rules will be apply and ougoing paquet will
match default nat instead.
Any reason that I can understand to this behavior ? Anyway, I also
wanted to let a note on misc info archive about this since I didn't find
anything will searching on marc.info and search it for days.
Also, is it a pfctl limitation to not be able to use it on anchor inside
a other anchor or I'm missing something ? Exemple, I load a anchor in
main ruleset named A and in A, I load a other anchor named B. Is there
any way to use pfctl on B anchor ?
# pfctl -sA
A
# pfctl -a A -sA
B
#
Thanks
Michel
