On 2011-11-03, Bentley, Dain <dbent...@nas.edu> wrote: > Hello all, > > I recently stood up an OpenBSD server to replace and older ASA. I read the > faq and was interested in the packet tagging aspect because I have a DMZ and > it makes the rule set seem more readable to my brain.. > > In any case I have the following taken from the PF faqs on the OpenBSD > website...
There are quite possibly some remaining glitches in the FAQ after converting the translation rules over to using nat-to. > _int = "re0" > _ext = "fxp1" > int_net = "192.168.200.0/24" > pass out on $_ext tag LAN_NAT_TO_INET tagged LAN_TO_INET nat-to ($_ext) > pass in on $_int from $int_net tag LAN_TO_INET > > ...... > > pass out quick on $_ext tagged LAN_NAT_TO_INET Packets are tagged as the ruleset is traversed, so at the time the "nat-to" rule is handled, the packet has not yet been tagged (this also explains why your alternative config file does work). Try reversing the rules: > pass in on $_int from $int_net tag LAN_TO_INET > pass out on $_ext tag LAN_NAT_TO_INET tagged LAN_TO_INET nat-to ($_ext) .. > pass out quick on $_ext tagged LAN_NAT_TO_INET Let me know if this helps and I'll swap them in the faq.
