On 12/29/2010 03:06:27 PM, Johan Helsingius wrote:
I am starting to despair at ever understanding pf redirection/NAT.
I have been trying to build a very simple redirection where
a openbsd firewall running pf sits between the ADSL modem
and a controller.
I have now simplified the pf config to this:
ext_if = ¨rl0¨
int_if = ¨xl2¨
controller = ¨172.24.44.89¨
set skip on lo
block log all
pass in log on $int_if
pass out log on $int_if
pass log on $ext_if from $controller to any binat-to $ext_if:0
pass log on $ext_if
but it still seems like there is no natting, as packets from the
controller seem to go out with the internal, non-routable address,
so no packets ever get back.
The rule in pf is that the last pass/block match wins, unless you
say otherwise with quick. So, your last two lines should be
either:
pass quick log on $ext_if from $controller to any binat-to $ext_if:0
pass log on $ext_if
or:
pass log on $ext_if
pass log on $ext_if from $controller to any binat-to $ext_if:0
However it's probably more clear to separate your filter rules
from your natting. You use match to do your natting, which
is sticky.
Put this at the top and get rid of the binat part of the
pass rule:
match on $ext_if from $controller to any binat-to $ext_if:0
Karl k...@meme.com
Free Software: You don't pay back, you pay forward.
-- Robert A. Heinlein
