Thread: pf rdr problem
View Single Post
  #7   (View Single Post)  
Old 20th March 2010
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,128
Default

Although I could not test, the following snippet using tags. should do it.
Code:
EXT = xl0
INT = rl0

nat on $EXT from 192.168.1.0/24 to any -> ($EXT)
nat on $EXT from 192.168.2.0/24 to any -> ($EXT)

rdr on $EXT inet proto tcp to $EXT port 666 tag RDR_OK  -> 192.168.1.20 

block log all

pass in quick on $EXT tagged RDR_OK
pass out quick on $INT tagged RDR_OK
On my test machine (just a syntax test), this will expand to
Code:
# pfctl -vvnf labels-rdr  
EXT = "xl0"
INT = "rl0"
@0 nat on xl0 inet from 192.168.1.0/24 to any -> (xl0) round-robin
@1 nat on xl0 inet from 192.168.2.0/24 to any -> (xl0) round-robin
@2 rdr on xl0 inet proto tcp from any to 10.0.0.200 port = 666 tag RDR_OK -> 192.168.1.20
@0 block drop log all
@1 pass in quick on xl0 all flags S/SA keep state tagged RDR_OK
@2 pass out quick on rl0 all flags S/SA keep state tagged RDR_OK
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote