Hi,

anyone using pf packet filtering *and* NAT in -current?

I tried it, but it doesn't seem to work very well.
The problem is, that the filtering seems to be
ok, ICMP and TCP works from the firewall machine,
but hosts behind the firewall and NAT have a very
slow TCP. ICMP works fine. I am using almost
identical pf.conf that is in the pf FAQ last
section as the example ruleset for a small
network.

I can make a TCP connection from behind NAT
but it takes a looong time. Then when I have
for example SSH connection established, and
I type one characted, it echoes quickly, but
the second one (second packet I guess) takes
a long time to pass through.

And yes, ipfilter with the exactly same kernel
and other nodes work fine!

I can provide logs, dumps etc. if anyone is
interested.

Teemu