On Mon, Jun 17, 2013 at 3:22 PM, Ryan Slack <[email protected]> wrote: > Hosting a voip server behind OpenBSD with the following pf.conf file > led to some surprising behaviour: > > voice_if = em0 > data_if= vr0 > ext_if = vr3 > PBX = "192.168.234.200" > voip_ports = "10000:40000" > table <remote_phones> persist { .... } > match out on $ext_if from { $voice_if:network, $data_if:network } \ > to any nat-to $ext_if static-port > pass out allow-opts flags S/SA modulate state > pass in proto udp on $ext_if from <remote_phones> \ > port {sip,$voip_ports} rdr-to $PBX > > Notice the last rule does NOT include a "to" clause, as seen in the > pools faq http://www.openbsd.org/faq/pf/pools.html. > > The surprise was when udp traffic on ports 10000:40000 was not coming > through and tcdump on $ext_if showed "icmp port unreachable" being > sent back. Adding "to $ext_if" to the last rule fixed it immediately: > > pass in proto udp on $ext_if from <remote_phones> \ > to $ext_if port {sip,$voip_ports} rdr-to $PBX > > > If this is by design, please explain! > > If the "to" clause is always required with rdr-to, then the man page > should be updated, and the parse code throw an error, and perhaps the > pools FAQ updated (possibly by me). > > > --Ryan Slack
Sigh. As per-usual with pf, problem in chair not in computer (port applied to the from). Sorry for the noise. --Ryan Slack
