On 2014-10-08, Henning Brauer <hb-open...@ml.bsws.de> wrote: > * Stuart Henderson <s...@spacehopper.org> [2014-10-05 22:49]: >> Normal PF logging isn't particularly well-suited to CGNAT-type requirements, >> in order to record both the internal address and the nat mapping you need >> to log both the inbound and outbound packets and piece it together from the >> two separate log entries. > > nope, pflog has both the original and the rewritten address(es). >
Oh, it's hidden behind -v in tcpdump, that makes it simpler (my other comments about using port ranges if possible may still be useful though, if you aren't *required* to keep such detailed packet logs).
