Subject: Re: ipf feature mask
To: None <email@example.com>
From: Patrick Welche <firstname.lastname@example.org>
Date: 07/08/2005 19:46:15
One more difference: "bad NAT" on the reply packet in the broken setup..
Now the rules look like:
block in log all
block out log all
pass in quick log on xi0 proto tcp from any to any port = http flags S/SA keep state
pass out quick log on rtk0 proto tcp from any to any port = http flags S/SA keep state
map rtk0 192.168.204.234/32 -> 220.127.116.11/32
which works, but not on the computer with s/xi0/ex0/g s/rtk0/bge0/g
On that one the reply has "bad NAT" on the SA packet returning from
the webserver as it hits the external interface, and gets blocked.
(It also has Feature mask: 0xa rather than 0x10a as on the working one)
They both work with the pf rules:
nat on $ext_if from $int_ip to any -> $ext_ip
block in log-all all
block out log-all all
pass in quick log-all on $int_if proto tcp from any to any port = http flags S/SA keep state
pass out quick log-all on $ext_if proto tcp from any to any port = http flags S/SA keep state
which I think are the equivalent of the ipf ones...
So, what does "bad NAT" imply? (ipnat -l looks correct)