On 2013-04-13, Chris Smith <obsd_m...@chrissmith.org> wrote:
> Looking for a bit of clarification on match and nat-to. At one point
> (and maybe still so?) nat rules were "first matching" as opposed to
> the 'normal' case of "last matching" but match rules are sticky until
> overridden.
>
> With:
> match out on $ext_if inet from !($ext_if) to any nat-to ($ext_if)
> match out on $ext_if inet from $gamer to any nat-to ($ext_if) static-port
>
> Followed by a pass rule:
> pass in on $int_if inet proto { tcp, udp } from em0:network
>
> Does the system $gamer (it is a system on the internal network) get
> static-port natted? Or should those rules be reordered? Or should
> something different be done?Rather than saying what it does (which the manpage already does, second paragraph of Translation is relevant), it's more generally applicable to show you how you can find out for yourself: Put match log (matches) at the top of pf.conf, and watch output of "tcpdump -neipflog0 -vv" The rule numbers displayed can be looked up with pfctl -sr -R <number>. > What happens when $gamer wants to use a port that's already in use? The translation fails. I don't recall what happens then, but it probably depends on your other rules - maybe the packet is sent out untranslated if you don't have a block rule to stop that from occurring. If you want to play around with this to see what happens, "nc -p" is useful, you will need a couple of systems behind the same nat, or keep changing the IP address, to try it. With "pfctl -xnotice" you get this in syslog/dmesg, Apr 13 23:27:11 jodrell /bsd: pf: pf: NAT proxy port allocation (0-0) failed (but -xnotice is very noisy and not something you would want to leave running normally). Also in -current there is a "translation" counter (visible with pfctl -si) which gets increased. > > As a note the particular system in question is running an older version: > OpenBSD 5.1-current (GENERIC.MP) #1: Thu May 31 18:31:17 EDT 2012 > in case the answer(s) might different. I would recommend releases rather than -current if you're not going to keep them updated..all of the pain and none of the gain.
