On 04/07/2006 11:04:23 AM, Gabriel Wachman wrote:
If NAT translation happens BEFORE any filter rules are evaluated
(see http://www.openbsd.org/faq/pf/nat.html), then wouldn't it be
true that an outbound packet from the internal network will be
seen by the filtering engine as a packet with source IP of the
firewall?
Looking at /usr/share/pf/faq-example1: <snip> nat on $ext_if from
$int_if:network to any -> ($ext_if) <snip> pass in on $int_if
from $int_if:network to any keep state <snip>
Why is that second rule necessary?
Because NAT happens on the interface. The packet has to
come in through the internal interface before it gets
nat-ted on the external interface.
Karl <[EMAIL PROTECTED]>
Free Software: "You don't pay back, you pay forward."
-- Robert A. Heinlein
