Darrin Chandler wrote:
rdr on $ExtIfa inet proto tcp from any to $ExtIfa port 25 -> $box2
rdr on $ExtIf inet proto tcp from any to $ExtIf port 25 -> $box1
Forget for a second what you *want* to have happen, and look at the
above snippets of your pf.conf. What's the *last* matching rule for
something on $ExtIfa?
Ah, good point, thanks. I tried flipping the order (and adding the :0
parameter) but the following still forwards box2's requests to box1:
ExtIf="xl1"
ExtIfa="1.2.3.5"
IntIf="xl0"
box1="9.8.7.6"
box2="9.8.7.7"
nat on $ExtIf:0 from $IntIf:network to any -> ($ExtIf:0)
rdr on $ExtIf inet proto tcp from any to $ExtIf:0 port 22 -> $box1
rdr on $ExtIfa inet proto tcp from any to $ExtIfa port 22 -> $box2
pass in quick on $ExtIf proto tcp from any to $box1 \
port 22 flags S/SA keep state
pass in quick on 1.2.3.5 proto tcp from any to $box2 \
port 22 flags S/SA keep state
Changing to "$ExtIf:0" on the first pass rule just blocks traffic.
Commenting out the "nat" rule has no effect, at least for inbound traffic.
I've looked for examples of :0 in use, but haven't found anything relevant.
Thanks much for any further clues.
dn
