On Tue, 21 Dec 2004 17:14:38 +0000, Teemu Rinta-aho wrote:

> Thanks, but no matter how I write the rules and how minimal
> and unsophisticated I make the ruleset, it just doesn't work.

Maybe ask at the mailing list dedicated for PF on NetBSD? See
http://nedbsd.nl/~ppostma/pf/ for contact information.

> 
> Could someone please tell me how these different filters locate in the
> stack (i.e. ipfilter, pf and tcpdump) for incoming and outgoing packets?
> What I noticed was that when I use ipfilter, with tcpdump I see packets
> going out with the IP source address of the external interface (NAT has
> taken place before tcpdump), while with pf I see source addresses not
> been changed by NAT yet... Is the pf NAT broken or is the situation in
> the output something like this?
> 
> socket ------ ipfilter -- tcpdump -- pf ----->

I doubt it. tcpdump should be always at the end IMHO. You could verify it
by having another host on this network and running tcpdump on it (using
promiscuitous mode).

> A diagram of the IP stack would be worth a thousand
> words. Any links to any related information appreciated!

Maybe look at http://mniam.net/pf/pf.png or
http://homepage.mac.com/quension/pf/flow.png

Bye	Pavel