* nixlists <nixmli...@gmail.com> [2010-01-06 03:56]: > On Tue, Jan 5, 2010 at 8:34 PM, Robert <rob...@openbsd.pap.st> wrote: > > .... > > > nat and rdr are now declared with match rules. > > But 'pass' still works: > > pass out on em0 inet from 192.168.1.0/24 to any flags S/SA keep state > nat-to (em0) round-robin
nat-to and rdr-to are valid on both match and pass rules. the difference is that match rules will not change the pass/block status from previous matching pass or block rules and that nat-to/rdr-to (and other stuff, see manpage) are sticky on match rules but not on pass rules. > >> An issue today was the box totally froze after I removed one of the > >> redundant rules, did 'pfctl -f /etc/pf.conf', and ran 'systat queues'. > >> As soon as I ran systat it froze dead. Not even a panic. > > > > You say you killed a box by trying to load a ruleset? > > Checked the config with -n before loading? > > No, I am saying I killed the box by removing a single existing rule > from the ruleset and running systat. it froze as soon as I ran > 'systat queues' . After a reboot the box has no trouble running the > ruleset. no idea what's going on there, never seen anything like that, never heard anything like that, undebuggable with the info at hand. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting
