On 09/02/12 17:39, Kapetanakis Giannis wrote:
Hi,
source-hash gives me different IP when used on different rules
pass out quick log on $ext_if proto tcp from 10.0.0.1 to 203.0.113.1
port 80 nat-to 192.0.2.0/24 source-hash
pass out quick log on $ext_if proto tcp from 10.0.0.1 to 203.0.113.1
port 443 nat-to 192.0.2.0/24 source-hash
With this I get:
Feb 09 17:32:29.467431 rule 133/(match) pass out on vlanxxx:
192.0.2.1.64386 > 203.0.113.1.80: S 2151338718:2151338718(0) win 14600
<mss 1440,sackOK,timestamp 883937025 0,nop,wscale 9>
Feb 09 17:32:33.464448 rule 134/(match) pass out on vlanxxx:
192.0.2.2.57614 > 203.0.113.1.443: S 2121037714:2121037714(0) win
14600 <mss 1440,sackOK,timestamp 883941022 0,nop,wscale 9>
If I change the firewall rule to:
pass out quick log on $ext_if proto tcp from 10.0.0.1 to 203.0.113.1
port {80, 443} nat-to 192.0.2.0/24 source-hash
although this is evaluated in 2 rules (at least in pfctl -sr) I always
get the same IP 192.0.2.1
Is this normal?
thanks,
Giannis
Hi,
Is this normal behavior?
Shouldn't the hashed IP be always the same? Could this be related to key?
regards,
Giannis