On 2014-10-08, Henning Brauer <[email protected]> wrote: > * Stuart Henderson <[email protected]> [2014-10-05 22:49]: >> Normal PF logging isn't particularly well-suited to CGNAT-type requirements, >> in order to record both the internal address and the nat mapping you need >> to log both the inbound and outbound packets and piece it together from the >> two separate log entries. > > nope, pflog has both the original and the rewritten address(es). >
Oh, it's hidden behind -v in tcpdump, that makes it simpler (my other comments about using port ranges if possible may still be useful though, if you aren't *required* to keep such detailed packet logs).
