Peter [thuis] wrote: > The following minimal pf.conf causes the loss of UID/PID in pflog: > ---- pf.conf ---- > nat on vic2 to any -> (vic2) > nat-anchor "ftp-proxy/*" > pass out quick log (user) proto tcp to port 54321 > pass quick on lo0 > pass in quick on vic2 from 172.16.1.1/24 > ----- > > So if I do > telnet 172.16.1.250 54321 > pflog shows: > 08:17:50.571260 rule 0/(match) [uid 0, pid 13539] pass out on vic2: > 192.168.... > > If either of the two nat statements is removed from pf.conf the UID/PID > appears resulting in pflog: > 08:18:22.455949 rule 0/(match) [uid 0, pid 12076] pass out on vic2: [uid > 1000, pid 9145] 172.16... >
It might help to to log the packet before it gets rewritten by nat. This is a conceptual, untested, pf.conf. I hope you get the idea. ---- pf.conf ---- match out quick log (user) proto tcp to port 54321 match out on vic2 from !(vic2) nat-to (vic2) pass out quick proto tcp to port 54321 pass quick on lo0 pass in quick on vic2 from 172.16.1.1/24 -----
