Are the pass rules valid for the packets you are redirecting? A redirect rule and pass rule like the following works without issue.
rdr on $ExtIf inet proto tcp from $WorkSsh to ($ExtIf) port ssh tag OPENSSH -> lo0 port $SshPort pass in log on $ExtIf inet proto tcp from $WorkSsh to lo0 port $SshPort $SynState tagged OPENSSH OpenBSD Pf Firewall "how to" ( pf.conf ) http://calomel.org/pf_config.html -- Calomel @ http://calomel.org Open Source Research and Reference On Fri, Feb 08, 2008 at 08:35:44AM -0500, S. Scott Sima, CISA, CISM wrote: >(sorry, orig post errantly had no subject) > >Trying to redact (simplify) pf rdr statements by moving the repeating >(common) criteria to the top. > >The rules load error free. The pfctl -vvsnat shows the rdr-anchor in >place; however, tcpdump shows the block rules being hit AS IF THE >TAG/TAGGED IS NOT BEING "SEEN." > >Anyone, any ideas? > >Thanks... > >/etc/pf.anchor.rdr1 ># ----- >anchor log on outside inet proto tcp \ >from !<droplist> to (outside:0) { >rdr port 25 tag T1 -> 192.168.2.225 >rdr port 5060 tag T1 -> 192.168.2.200 >rdr port 443 tag T2 -> 192.168.2.250 >} ># --- > >/etc/pf.conf >rdr-anchor "/etc/pf.anchor.rdr1" >... >block all >... >pass log quick ...tagged T1 ... >pass log quick ...tagged T2 ... >...
