Em 19-05-2014 14:51, Peter N. M. Hansteen escreveu: > Alexey Kurinnij <[email protected]> writes: > >> nat-to rule not work if match and work when pass: >> match out quick on egress inet from !(egress:network) to any nat-to >> (egress:0) - not work >> pass out quick on egress inet from !(egress:network) to any nat-to >> (egress:0) - work > Well, the match would need to be supplemented by a pass rule that > matches whatever the packet looks like *after* the transformation the > match rule performs. After the match rule here, the source address is > whatever (egress:0) works out to be in your system, so you need a pass > rule that matches that specification. > > And on a side note, the way to untangle stuff like this is to add log > (matches) to rules for debugging. That will log all rules your packet > matches after it has matched your logging rule. > > I have a fairly trivial illustration in the tutorial slides at > http://home.nuug.no/~peter/pf/newest/log.match.matches.html > > - Peter Also, I only use rdr-to in pass rules, not in match. That's because, as Peter said, you can't always predict what the packet will look like, after your match rule. In addition to logging, you can always use tags to control your packet flow. This way you can effectively "debug" your ruleset. Also, I'm using pflow(4) with nfsen to capture the flows and post analyze them.
Cheers, -- Giancarlo Razzolini GPG: 4096R/77B981BC
