On 2012-09-13, Michel Blais <mic...@targointernet.com> wrote:
> Hi,
>
> I just encounter a stange biavior with the bi-nat rules. Since we optimize
> our firewall script via multiple anchor for our thousand of bi-nat rule, we
> don't use the bi-nat rule but instead use the 2 rules in different anchor.
> Exemple:
>
> anchor out on $ext_if from 192.168.0.0/16 {
> anchor out on $ext_if from 192.168.0.0/24 {
> match out on $ext_if inet from 192.168.0.1 to any nat-to
> X.Y.Z.1 static-port
> match out on $ext_if inet from 192.168.0.2 to any nat-to
> X.Y.Z.2 static-port
> }
> }
>
> anchor in on $ext_if to X.Y.Z.0/20 {
> anchor in on $ext_if to X.Y.Z.0/24 {
> match in on $ext_if inet from any to X.Y.Z.1 rdr-to 192.168.0.1
> match in on $ext_if inet from any to X.Y.Z.2 rdr-to 192.168.0.2
> }
Can't help with the anchor thing (I don't see how they would simplify my
rulesets so I only use them as places for other programs to hook into the
ruleset e.g. ftp-proxy etc). But if the rules are exactly how you show,
with 192.168.0.nn and X.Y.Z.nn (same nn for original and translated
addresses), are you aware of this in pf.conf(5) which seems tailor-made
for this type of configuration?
[...]
For af-to, nat-to and rdr-to options for which there is a single
redirection address which has a subnet mask smaller than 32 for IPv4 or
128 for IPv6 (more than one IP address), a variety of different methods
for assigning this address can be used:
bitmask
The bitmask option applies the network portion of the redirection
address to the address to be modified (source with nat-to,
destination with rdr-to).
[...]
