On 2013-06-18, Wiesław Herr <[email protected]> wrote: > Hi misc@! > > After deploying a new OpenBSD 5.3 firewall today I ran into a strange > problem. The first rule in my ruleset is one NAT-ing ICMP packets from my > host to Google's DNS IP (8.8.8.8): > >> fw1a-spt # pfctl -sr -R0 >> pass out log quick inet proto icmp from 192.168.5.96 to 8.8.8.8 nat-to > 195.182.23.4
I suspect you may have an issue where state is not being created where you expect it. It's now recommended (and we've changed the sample pf.conf to match) to start your ruleset with an explicit "block" (or "block log") rule to ensure that you don't accidentally allow any traffic to pass without keeping state.
