npf config

[George Georgalis <george%galis.org@localhost>]

Hi -

Maybe I've been looking at this too long...
can someone tell me why this npf.conf
is not providing gw service to 10.0.0.0/24
via 10.0.0.1, the wm0 interface? The npf
host has fully functional gw via a wm1
interface on the 10.0.1.0/24 network.

# npfctl show

# filtering:    active
# config:       loaded

procedure "log"
map wm1 dynamic any -> 10.0.1.1 pass family inet4 from 10.0.0.0/24
group "external" on wm1
        pass stateful out final family inet4 from 10.0.0.0/24
        pass stateful out final all
        pass stateful in final family inet4 proto tcp flags S/FSRA to
10.0.1.1 port 22
group "internal" on wm0
        block return-icmp in all
        pass in final family inet4 from 10.0.0.0/24
        pass out final all
group
        pass final on lo0 all
        pass final on wm0 all
        block return-icmp all

# ifconfig -a |grep -E '(^wm|inet )' | grep -v 127.0

wm0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        inet 10.0.0.1 netmask 0xffffff00 broadcast 10.0.0.255
wm1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        inet 10.0.1.1 netmask 0xffffff00 broadcast 10.0.1.255

# netstat -finet -anr | grep -E '(link|default)'

default            10.0.1.1           UGS         -        -      -  wm1
10.0.1/24          link#2             UC          -        -      -  wm1
10.0.0/24          link#1             UC          -        -      -  wm0

Hosts on the 10.0.0.0/24 network configured to use the npf
host as gw can reach the npf "external" 10.0.1.1 wm0 interface,
but nothing else on 10.0.1.0/24 or beyond. What's missing?

Thanks!
-George


-- 
George Georgalis, (415) 894-2710, http://www.galis.org/