Subject: Re: [Fwd: Re: kern/28651: NAT in pf slow with TCP]
To: Teemu Rinta-aho <>
From: Mipam <>
List: current-users
Date: 12/28/2004 12:00:16
> Mipam wrote:
> > With ipf on outbound traffic it's first ipf, then ipnat.
> > About pf i'm not sure.
> With pf it seems that it is nat first and then filtering,
> for both directions.
> > Anyway, nat on pf is working fine here, ftp-proxy also runs here.
> > Maybe show the rules you use to nat?
> It's all in

Okay, first by default a floating state-policy is enabled.
(set state-policy floating)
Meaning if you allow traffic to go out on your external interface, that 
traffic is allowed in on your internal interface. This way you can remove 
some lines in your config. Of course if you set if-bound state policy you 
need to define rules in each interface.

Some questions, did you add support for pf in the kernel config and 
recompile a new kernel with it? Did you make a pf device in /dev? 
(sh ./MAKEDEV pf)
NetBSD current has a default pf.conf and also nat statements in it that is 
easily adjustable to your situation. It works fine for me, really.