On 2023/06/28 10:37, Zack Newman wrote:
> On 2023-05-15, Stuart Henderson <stu.li...@spacehopper.org> wrote:
> > pass out quick on rdomain 2 to 127.0.0.1 nat-to 127.0.0.1 rtable 0
>
> Not sure what the proper etiquette is here-in particular if I should
> start a new thread seeing how this reply is over a month late-so feel
> free to yell at me.
It's generally better not to start a new thread, instead keep the
in-reply-to header intact, so that people finding it in list archives
can more easily locate the original messages.
> What is the purpose of the "nat-to"? Is that just to cover all possible
> addresses that are defined on lo2 (e.g., other IPs in 127.0.0.0/8)
> instead of assuming the source address is 127.0.0.1? The reason I ask is
> I am quite sure you have a deeper understanding of pf than me, and I
> might be missing something with my configuration. I have not been
> encountering any issues that I know of the past year or so, but perhaps
> there is something I am missing.
>
> I have a bunch of daemons running in rdomain 1 including but not
> limited to smtpd and rspamd as well as daemons running in rdomain 0,
> most notably unbound. All three of those daemons listen _to_ ;) ::1 and
> 127.0.0.1. I need smtpd and rspamd to have access to unbound for things
> like rDNS. resolv.conf(5) contains:
>
> router$ cat /etc/resolv.conf
> domain philomathiclife.com.
> family inet6 inet4
> lookup file bind
> nameserver ::1
> nameserver 127.0.0.1
> search philomathiclife.com.
>
> Anyway, the rules that I have that _seem_ to work are the following:
>
> pass out quick on lo1 inet6 proto { tcp udp } from ::1 to ::1 port 53 rtable 0
> pass out quick on lo1 inet proto { tcp udp } from 127.0.0.1 to 127.0.0.1 port
> 53 rtable 0
> pass in quick on { lo0 lo1 }
I found that I needed it for something, but I don't remember what.
> Notice the lack of "nat-to". Is there a reason I should amend those
> pass out rules to include "nat-to" if I know 127.0.0.1 is the source
> address? Perhaps there is an implicit "nat-to" in my rules?
There's never an implicit "nat-to" in any rules.
