On 08/28/2008 08:13:50 AM, [EMAIL PROTECTED] wrote:
On Aug 28, 12:45=A0am, [EMAIL PROTECTED] wrote:
> # =A0 =A0 =A0 $OpenBSD: pf.conf,v 1.35 2008/02/29 17:04:55 reyk Exp
$
> #Map internal addresses to external
> binat on $tun_if proto {tcp, udp, icmp} from $intaddr_irishcoffe to
> any -> $tunaddr_irishcoffe
> binat on $tun_if proto {tcp, udp, icmp} from $intaddr_bloodymary to
> any -> $tunaddr_bloodymary
> binat on $tun_if proto {tcp, udp, icmp} from
$intaddr_longislandicetea
> to any -> $tunaddr_longislandicetea
>
> #Traffic on addresses not mapped with BINAT should be NATed via vr0
> (ie. not be pushed via the tunnel but rather pushed directly on the
> DSL line)
> #The below does not work though
> nat on $ext_if from $int_if:network to any -> { $ext_if }
>
> #Enabling the below makes it possible to access the Internet via
> $ext_if from 10.0.0.10 but only 10.0.0.10.
> #This is what I want with NAT above but for the whole 10.0.0.0/24
net
> (except BINATed addresses).
> #binat on $tun_if proto {tcp, udp, icmp} from 10.0.0.10 to any ->
> $ext_if:0
>
> nat-anchor "ftp-proxy/*"
> rdr-anchor "ftp-proxy/*"
> rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port
> 8021
If I made the NAT rule look like this it worked:
nat on $tun_if from $int_if:network to any -> $ext_if
Now the uestion is why....
It's because your binat rule has already translated the datagrams
IP addresses before your nat rule sees the datagrams, so as
originally written the nat rule does not match.
FYI, binat rules are done before nat rules regardless of the
order in which they appear in pf.conf.
Karl <[EMAIL PROTECTED]>
Free Software: "You don't pay back, you pay forward."
-- Robert A. Heinlein
