hi, maybe synproxy is conflicting somehow with rdr states? try keep state instead, just to test it... but I'm not sure. As dan said, do a "block log all" and run tcpdump on pflog0 while you'r trying to connect.
you can also do this, i like tagging :) rdr on $ext_if proto tcp from any to $ext_if port $email_ports tag email_in -> $email_server rdr on $ext_if proto tcp from any to $ext_if port $web_ports tag web_in > $web_server in filtering section: pass log tagged email_in keep state pass log tagged web_in keep state so you don't need to specify the "any to xxx port xxx" twice... another thing is: normaly it's a problem to connect to your redirected ports (public ip) from the inside (LAN). because pf does NAT on ext_if for any traffic. and then needs a second state for the RDR to the inside. i think this is not working. but you can solve this with a additional "no nat proto tcp from $inside_net to $public_ip port $port" or something like this... I think this should work. pf does not need NAT in this case, because the local box knows both networks (public and private) and pf generates just one state... maybe that's your problem... greets marco On Fri, May 8, 2009 at 6:37 AM, Dan <d...@ourbrains.org> wrote: > Daniel Boyd(dan...@boydemail.com)@2009.05.07 13:26:42 -0500: > > I'm having some problems getting pf to forward ports. My computer is > > running a fresh install of OpenBSD 4.5. > > > > My internal network is using 172.17.2.0/24 and I need pf to do NAT and > > forward some ports to two internal servers. > > > > NAT is working just fine, (e.g. the internal computers can browse the > > web etc.) but I can't connect to my internal servers from the outside. > > > ... > > > block all > ... > > Change block all to block log all, then tcpdump -nettti pflog0 > > Try to connect to rdr'd machines. > You'll see exactly where the problem is.
