Jeremy Chadwick wrote:
I believe it's because pf(4) doesn't make assumptions about what you want to filter. NAT is stateful (it has to be, because packets are being re-written, and the WAN-side port numbers are going to be different than the LAN-side), but filtering rules still apply **after** the translation has been done.What's happening is that your nat rule results in pf re-writing the packet, then the packet is immediately blocked by one of your block rules (I'm assuming "block out"). The pf.conf manpage documents this, more or less: Since translation occurs before filtering the filter engine will see packets as they look after any addresses and ports have been translated. Filter rules will therefore have to filter based on the translated address and port number. Packets that match a translation rule are only automatically passed if the pass modifier is given, otherwise they are still subject to block and pass rules.
I guess my misunderstanding comes in where the pass modifier is concerned. I also have a weak understand of what "state" actually means. The "automatically passsed" part of your citation isn't automatically passing.
I think I'll just drop the pass modifier on the NAT rule. Then it becomes precisely clear to me that I need a filter rule after the nat rule.
Regards, Jason _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "[EMAIL PROTECTED]"
