Quoting corey clingo <clinge...@gmail.com>:
I had to replace the dead hard drive in an old OpenBSD firewall
yesterday (it only ran for about 8 years :), and in the process I had
to re-do my pf.conf to incorporate the newer (post-4.6 or thereabouts)
syntax. I was trying to figure out why I have what appears to be two
states for each incoming connection that is getting rdr-to'd a box on
the internal network by a pass rule, but I digress.
Anyway, I'm reading the pf.conf man page, and I interpret it as saying
that the last matching pass/block rule determines what action is
taken, but the _first_ matching pass rule is what creates the state.
Am I interpreting this correctly? Is that a contradiction of sorts, at
least from the PoV of being able to use pfctl -ss or systat states to
see what's going on? Should I be using match rules to do nat-to/rdr-to
instead?
Thanks in advance,
Corey
We use PPPoE and have the following with NAT (the firewall has 6
interfaces and we use NAT just with two of them -- lan and publicdmz)
# NAT all traffic from LAN and Public DMZ to the Internet
match out log on pppoe0 from lan:network to any nat-to (pppoe0)
match out log on pppoe0 from publicdmz:network to any nat-to (pppoe0)
pass out log on pppoe0 from lan:network to any nat-to (pppoe0)
pass out log on pppoe0 from publicdmz:network to any nat-to (pppoe0
Hope this helps.
Vijay
Vijay Sankar, M.Eng., P.Eng.
ForeTell Technologies Limited
vsan...@foretell.ca
---------------------------------------------
This message was sent using ForeTell-POST 4.9
