On 03:14:10 Dec 22, Mikolaj Kucharski wrote:
> Hi,
>
> # echo binat on wi0 inet proto '{' tcp udp icmp '}' \
> from 192.168.100.2 to any '->' 192.168.15.103 | pfctl -f -
>
> # pfctl -sn
> binat on wi0 inet proto tcp from 192.168.100.2 to any -> 192.168.15.103
>
> # sysctl -n kern.version
> OpenBSD 4.2-current (GENERIC) #599: Fri Dec 14 17:13:48 MST 2007
> [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
>
>
> I didn't work with PF for long time, so maybe I'm missing something, but
> is this behaviour correct? Could someone more experienced comment on
> this? TIA
I am no authority but looking at the grammar section in pf.conf(5), I
would guess that it is correct behavior.
nat-rule = [ "no" ] "nat" [ "pass" [ "log" [ "(" logopts ")" ] ] ]
[ "on" ifspec ] [ af ]
[ protospec ] hosts [ "tag" string ] [ "tagged"
string ]
[ "->" ( redirhost | "{" redirhost-list "}" )
[ portspec ] [ pooltype ] [ "static-port" ] ]
binat-rule = [ "no" ] "binat" [ "pass" [ "log" [ "(" logopts
")" ] ] ]
[ "on" interface-name ] [ af ]
[ "proto" ( proto-name | proto-number ) ]
"from" address [ "/" mask-bits ] "to" ipspec
[ "tag" string ] [ "tagged" string ]
[ "->" address [ "/" mask-bits ] ]
rdr-rule = [ "no" ] "rdr" [ "pass" [ "log" [ "(" logopts ")" ] ] ]
[ "on" ifspec ] [ af ]
[ protospec ] hosts [ "tag" string ] [ "tagged"
string ]
[ "->" ( redirhost | "{" redirhost-list "}" )
[ portspec ] [ pooltype ] ]
You can see that there is no 'protospec' token in binat-rule.
-Girish
