On 12/29/2010 03:06:27 PM, Johan Helsingius wrote: > I am starting to despair at ever understanding pf redirection/NAT. > > I have been trying to build a very simple redirection where > a openbsd firewall running pf sits between the ADSL modem > and a controller. > > I have now simplified the pf config to this: > ------------ > > ext_if = ¨rl0¨ > int_if = ¨xl2¨ > > controller = ¨172.24.44.89¨ > > set skip on lo > > block log all > > pass in log on $int_if > pass out log on $int_if > > pass log on $ext_if from $controller to any binat-to $ext_if:0 > pass log on $ext_if > > ------------ > > but it still seems like there is no natting, as packets from the > controller seem to go out with the internal, non-routable address, > so no packets ever get back.
The rule in pf is that the last pass/block match wins, unless you say otherwise with "quick". So, your last two lines should be either: pass quick log on $ext_if from $controller to any binat-to $ext_if:0 pass log on $ext_if or: pass log on $ext_if pass log on $ext_if from $controller to any binat-to $ext_if:0 However it's probably more clear to separate your filter rules from your natting. You use "match" to do your natting, which is "sticky". Put this at the top and get rid of the binat part of the pass rule: match on $ext_if from $controller to any binat-to $ext_if:0 Karl <[email protected]> Free Software: "You don't pay back, you pay forward." -- Robert A. Heinlein
