On 2023-05-15, Stuart Henderson <stu.li...@spacehopper.org> wrote:
pass out quick on rdomain 2 to 127.0.0.1 nat-to 127.0.0.1 rtable 0
Not sure what the proper etiquette is here-in particular if I should
start a new thread seeing how this reply is over a month late-so feel
free to yell at me.
What is the purpose of the "nat-to"? Is that just to cover all possible
addresses that are defined on lo2 (e.g., other IPs in 127.0.0.0/8)
instead of assuming the source address is 127.0.0.1? The reason I ask is
I am quite sure you have a deeper understanding of pf than me, and I
might be missing something with my configuration. I have not been
encountering any issues that I know of the past year or so, but perhaps
there is something I am missing.
I have a bunch of daemons running in rdomain 1 including but not
limited to smtpd and rspamd as well as daemons running in rdomain 0,
most notably unbound. All three of those daemons listen _to_ ;) ::1 and
127.0.0.1. I need smtpd and rspamd to have access to unbound for things
like rDNS. resolv.conf(5) contains:
router$ cat /etc/resolv.conf
domain philomathiclife.com.
family inet6 inet4
lookup file bind
nameserver ::1
nameserver 127.0.0.1
search philomathiclife.com.
Anyway, the rules that I have that _seem_ to work are the following:
pass out quick on lo1 inet6 proto { tcp udp } from ::1 to ::1 port 53 rtable 0
pass out quick on lo1 inet proto { tcp udp } from 127.0.0.1 to 127.0.0.1 port
53 rtable 0
pass in quick on { lo0 lo1 }
Notice the lack of "nat-to". Is there a reason I should amend those
pass out rules to include "nat-to" if I know 127.0.0.1 is the source
address? Perhaps there is an implicit "nat-to" in my rules?
