On 2016-01-19, Michael Wilson <[email protected]> wrote: > On Tue, 19 Jan 2016 09:14:08 +0100 > "Peter N. M. Hansteen" <[email protected]> wrote: > >> > [email protected] (zje.net.cn), 2016.01.19 (Tue) 03:37 (CET): >> > > Hi, i'm tesing the NAT with the pf on OpenBSD 5.8, but i can not >> > > make it successful.There is a server with pf having a internal IP >> > > 10.0.11.200 and external IP 61.xxx.xx.xx, then, i make a pf.conf >> > > with contents like below(having enable IP forwarding) : >> > > >> > > #my define >> > > int_if = "de1" #10.0.11.200 >> > > ext_if = "de2" #61.xxx.xx.xx >> > > int_net = "10.0.11.0/24" >> > > #my rules >> > > pass out on $ext_if inet from $int_if:network to any nat-to >> > > $ext_if >> >> if those rules are your entire ruleset, forwarding is enabled and all >> interfaces involved are correctly set up (not forgetting netmasks), >> this should just work. > Maybe I missed something, but what about: > > pass in on $int_if from $int_if:network
There is an implicit "pass flags any no state" rule. So the incoming packets should be accepted, and I'd expect this to work, though it is not a *good* configuration. Be explicit: make your first rule "block" or "block log". Otherwise it's easy to miss a case and then you're at risk of running into problems with TCP sequence number checks and window scaling when you add rules later.
