On Fri, Feb 28, 2014 at 10:15:15AM +0100, Lo?c Blot wrote:
> i encounter a strange problem today on PF. I don't know if this i normal
> but the result is illogic.
>
> I have this rule:
>
> pass out quick proto tcp from <all_clients_v4> to port { smtp smtps 587
> imap imaps pop3 pop3s } nat-to $natto_iface
the problem here is that the interface has several addresses, so you end up with
> pass out quick inet6 proto tcp from <all_clients_v4> to any port = 465
> flags S/SA nat-to <__automatic_d309aaac_0> round-robin
an automatically generated table, containing all addresses assigned to the
interface, and the poor thing tries to load balance between them (round-robin).
The most straightforward fix is to change the nat-to so it refers to one
specific
address only, and only applies to inet, something like
natto_addr="192.0.2.198"
pass out quick on egress inet proto tcp from <all_clients_v4> to port { smtp
smtps 587 \
imap imaps pop3 pop3s } nat-to $natto_addr
as always, a pfctl -vnf on the config file would show all these things expanded
(yes,
I've been bit by the exact same round-robin problem myself)
- Peter
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
