Subject: Re: [Fwd: Re: kern/28651: NAT in pf slow with TCP]
To: Teemu Rinta-aho <firstname.lastname@example.org>
From: Mipam <email@example.com>
Date: 12/28/2004 12:00:16
> Mipam wrote:
> > With ipf on outbound traffic it's first ipf, then ipnat.
> > About pf i'm not sure.
> With pf it seems that it is nat first and then filtering,
> for both directions.
> > Anyway, nat on pf is working fine here, ftp-proxy also runs here.
> > Maybe show the rules you use to nat?
> It's all in http://www.rinta-aho.org/pr-pf/
Okay, first by default a floating state-policy is enabled.
(set state-policy floating)
Meaning if you allow traffic to go out on your external interface, that
traffic is allowed in on your internal interface. This way you can remove
some lines in your config. Of course if you set if-bound state policy you
need to define rules in each interface.
Some questions, did you add support for pf in the kernel config and
recompile a new kernel with it? Did you make a pf device in /dev?
(sh ./MAKEDEV pf)
NetBSD current has a default pf.conf and also nat statements in it that is
easily adjustable to your situation. It works fine for me, really.