On 6/24/23 13:14, Stuart Henderson wrote:
On 2023-06-24, Stephan Neuhaus wrote:
I now think that either the documentation is wrong, or
pf is wrong. At any rate, there seems to be a rather
serious disconnect between the two. The FAQ clearly
says:
When a packet is selected by a match rule
Hi Zack
On 6/24/23 03:39, Zack Newman wrote:
There do appear to be contradictions in documentation as well as the pf
book. The Configuring NAT section is correct as you have seen with your
own rules.
I'm not sure about the Configuring NAT section being
correct. I still maintain that the docume
On 6/23/23 18:29, Zack Newman wrote:
On 6/23/23 11:19, Stephan Neuhaus wrote:
# Rule 5
match out log on em0 from athn0:network to any nat-to (em0)
# Rule 6
pass out log on em0 from athn0:network to any
Rule 5 replaces the source IP address with the IP address assigned to
em0-as well as
On 6/23/23 13:19, Stephan Neuhaus wrote:
[...]
Some people have replied to this post off-list and
have made the entirely reasonable conjecture that the
packet changes its effective source address the moment
the match rule matches. With the changed source
address, the pass rule no longer
On 6/23/23 13:19, Stephan Neuhaus wrote:
Hi list [...]
In other words, now the same packets that weren't
passed using the match/pass combo are not passed when
the nat-to is part of the pass rule.
That should have been "...combo are NOW passed...". Sorry.
Cheers
Stephan
Hi list
I am using a PC Engines apu2 board as a firewall. Or
rather, I want to use it as one, but it doesn't work
as I think it should.
First up, some information about my system. It has
three gigabit wired Ethernet interfaces, em0, em1, and
em2, as well as an 802.11n interface, athn0. Only em0
Hi list
I think I have found a typo in the pf NAT FAQ here:
https://www.openbsd.org/faq/pf/nat.html. In the
"Configuring NAT" section it says:
The general format in pf.conf looks something like this:
match out on interface [af] \
from src_addr to dst_addr \
nat-to ext_addr [pool_t
7 matches
Mail list logo
