Your "pass" rules need to reference the IP address after processing by the "rdr" rule. So it should be passing traffic destined to '10.0.0.17'
See http://openbsd.org/faq/pf/rdr.html#filter for more info. John On Thu, Jun 05, 2008 at 03:46:57PM -0700, Lord Sporkton wrote: > on OpenBSD fire.sporkton.com 4.3 GENERIC#698 i386 > I have this pf.conf config, it does not work for vnc > > > ext_if="xl0" > lawrence="10.0.0.17" > > > rdr on $ext_if proto tcp from any to $ext_if port vncweb -> $lawrence > port vncweb > rdr on $ext_if proto tcp from any to $ext_if port vnc -> $lawrence port vnc > > pass in on $ext_if inet proto tcp from any to $ext_if port vncweb \ > modulate state (max-src-conn-rate 3/30, overload <vnc-attack>) > pass in on $ext_if inet proto tcp from any to $ext_if port vnc \ > modulate state (max-src-conn-rate 3/30, overload <vnc-attack>) > > > If i use the pass keyword instead in the rdr statement(as below), it > works fine. > > > rdr pass on $ext_if proto tcp from any to $ext_if port vnc -> $lawrence port > vnc > > > > > Does anyone see something worng with my pass statements? > thanks > > > -- > -Lawrence