nat-to rule not work if match and work when pass:
match out quick on egress inet from !(egress:network) to any nat-to
(egress:0) - not work
pass out quick on egress inet from !(egress:network) to any nat-to
(egress:0) - work
Today I install 5.5 and copy old pf.conf to new system, and remove queuing
rules, but NAT not work with this config.
I remove all restriction rules and put accept all outgoing on both
interfaces and all input on internal interface.
What I doing wrong?
# cat
/etc/pf.conf
# macros
int_if="re0"
ext_if="rl0"
tcp_ext_services="{ 22, 443, 51413 }"
tcp_int_services="{ 22, 53, 80 }"
udp_int_services="{ 53, 69 }"
icmp_types="echoreq"
# options
set block-policy drop
set skip on lo
# match rules
pass out quick on egress inet from !(egress:network) to any nat-to
(egress:0)
match in on egress proto tcp from !$int_if to (egress) port 443 \
rdr-to (egress) port 22
# filter rules
block log
antispoof quick for { lo $int_if }
pass in inet proto icmp all icmp-type $icmp_types
# filter rules for (egress)
pass in on egress inet proto tcp from any to (egress) \
port $tcp_ext_services
pass out on egress from (egress)
# filter rules for $int_if
pass in on $int_if proto tcp from $int_if:network to $int_if port
$tcp_int_servi
ces
pass in on $int_if proto udp from $int_if:network to $int_if port
$udp_int_servi
ces
pass in on $int_if from $int_if:network to !$int_if
pass out on $int_if to $int_if:network
