Jeremy Chadwick wrote:
I believe it's because pf(4) doesn't make assumptions about what you
want to filter. NAT is stateful (it has to be, because packets are
being re-written, and the WAN-side port numbers are going to be
different than the LAN-side), but filtering rules still apply **after**
the translation has been done.
What's happening is that your nat rule results in pf re-writing the
packet, then the packet is immediately blocked by one of your block
rules (I'm assuming "block out").
The pf.conf manpage documents this, more or less:
Since translation occurs before filtering the filter engine will see
packets as they look after any addresses and ports have been translated.
Filter rules will therefore have to filter based on the translated
address and port number. Packets that match a translation rule are only
automatically passed if the pass modifier is given, otherwise they are
still subject to block and pass rules.
I guess my misunderstanding comes in where the pass modifier is
concerned. I also have a weak understand of what "state" actually means.
The "automatically passsed" part of your citation isn't
automatically passing.
I think I'll just drop the pass modifier on the NAT rule. Then it
becomes precisely clear to me that I need a filter rule after the nat rule.
Regards,
Jason
_______________________________________________
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[EMAIL PROTECTED]"