Subject: Re: Problems with pf(4)'s rdr rules
To: Miles Nordin <carton@Ivy.NET>
From: Pavel Cahyna <>
List: current-users
Date: 12/01/2005 12:02:20
On Wed, Nov 30, 2005 at 10:20:07PM -0500, Miles Nordin wrote:
> >>>>> "dh" == Dave Huang <> writes:
>     dh> rdr pass on $ext_if proto udp from any to any port 2093:2096
>     dh> -> port 2093:*
> try 'pfctl -s state' and see if it shows anything interesting.
> Here are the rules I use for eDonkey.  UDP is different than TCP and I
> found to need two rules because you never know whether your end or the
> remote end is going to be the one to create the state entry.  I don't
> know exactly why what you see is happening, but I think it might help
> to make an extra 'nat' statement to nail down the NAT state tuple so
> the outgoing packet originates from the same specific port on the PF
> gateway as you are later using in the rdr rule, rather than from a
> dynamic port as it will if it matches the overall NAT rule.  In this
> case, if the first packet activates the nat rule first rather than
> rdr, the rdr rule will never be matched by traffic coming back in, but
> you will sort of experience the same effect as if it were.  dunno if
> that makes sense, but consider my two rules if they make sense to you,
> and try the 'pfctl -s state' or the pftop package.

PF des not have any stateless NAT? I think that "binat" in IPF does
stateless mapping and PF has the same keyword (which is not much better
documented than IPF's).

Pavel Cahyna