On 2014-11-22, Soós László <soos.las...@demonhost.hu> wrote: > Dear List, > > I'm struggling to understand which change in 5.6 implied that my pf > redirects do not work anymore on the openbsd host itself. > It all worked okay in OpenBSD 5.5, I did not change anything in the > ruleset, just updated from 5.5 -> 5.6. > > Is there anybody who is facing similar issue with pf in OpenBSD 5.6? Is > there any solutions for it? > > > > [root ~]# ifconfig em0 > em0: flags=28843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,NOINET6> mtu 1500 > lladdr 00:0c:29:xx:xx:xx > inet yy.yy.yy.131 netmask 0xffffff00 broadcast yy.yy.yy.255 > > [root ~]# pfctl -sr -vv | less > ... > @88 pass in quick inet proto tcp from any to yy.yy.yy.131 port = 25 > flags S/SA keep state (if-bound) rdr-to 10.9.8.4 > [ Evaluations: 783 Packets: 533 Bytes: 126263 States: 1 ] > [ Inserted: uid 0 pid 17457 State Creations: 22 ] > ... > > pf.conf sniplet > ------------------- > set skip on lo > .... > pass in quick proto tcp from any to $ext_ip port smtp > rdr-to $int_host_mail
I don't see how this can have worked before. A packet generated on the firewall itself would not match a "pass in ..." rule, unless that packet was being sent to another system (ISP router?) which then forwarded it back to the firewall.