Subject: Re: Problems with pf(4)'s rdr rules
To: Miles Nordin <carton@Ivy.NET>
From: Pavel Cahyna <pcah8322@artax.karlin.mff.cuni.cz>
List: current-users
Date: 12/01/2005 12:02:20
On Wed, Nov 30, 2005 at 10:20:07PM -0500, Miles Nordin wrote:
> >>>>> "dh" == Dave Huang <khym@azeotrope.org> writes:
>
> dh> rdr pass on $ext_if proto udp from any to any port 2093:2096
> dh> -> 10.1.1.11 port 2093:*
>
> try 'pfctl -s state' and see if it shows anything interesting.
>
> Here are the rules I use for eDonkey. UDP is different than TCP and I
> found to need two rules because you never know whether your end or the
> remote end is going to be the one to create the state entry. I don't
> know exactly why what you see is happening, but I think it might help
> to make an extra 'nat' statement to nail down the NAT state tuple so
> the outgoing packet originates from the same specific port on the PF
> gateway as you are later using in the rdr rule, rather than from a
> dynamic port as it will if it matches the overall NAT rule. In this
> case, if the first packet activates the nat rule first rather than
> rdr, the rdr rule will never be matched by traffic coming back in, but
> you will sort of experience the same effect as if it were. dunno if
> that makes sense, but consider my two rules if they make sense to you,
> and try the 'pfctl -s state' or the pftop package.
PF des not have any stateless NAT? I think that "binat" in IPF does
stateless mapping and PF has the same keyword (which is not much better
documented than IPF's).
Pavel Cahyna