This is primarily an informative post for those who will search the archives later with a similar problem. Constructive comments are appreciated, however.
My main firewall has three network cards in it, back when I was anticipating the future need for another network segment (for reasons I won't go into). I converted the one extra box I did have, into another OpenBSD box and put two network cards in it, with the idea of bridging between two of the three cards in the firewall and getting rid of the current binat rule completely in the long term (a side effect is I get to use the old 10MBps cards I have for something useful; I know ne cards are synonymous with "cow turds" to a lot of people, but the amount of data I'm moving through them is low enough to mitigate the glaring flaws). Until some point in the future, however, I still have one box behind binat. When first testing this setup, binat to that box didn't work. In order to get the binat working again, I had to explicitly pass the external address on the original external interface in pf.conf in order for it to work properly. Whether this is a quirk, a bug, or a feature of the bridging code, I'm not sure. (IMO: probably just a quirk, probably not a bug, possibly a feature.) And remember, if in doubt about what exactly is going wrong in a pf ruleset, enable logging on all block rules, and use the information thus obtained to track down the problem. -- Shawn K. Quinn <[EMAIL PROTECTED]>