On 2012-09-13, Michel Blais <mic...@targointernet.com> wrote: > Hi, > > I just encounter a stange biavior with the bi-nat rules. Since we optimize > our firewall script via multiple anchor for our thousand of bi-nat rule, we > don't use the bi-nat rule but instead use the 2 rules in different anchor. > Exemple: > > anchor out on $ext_if from 192.168.0.0/16 { > anchor out on $ext_if from 192.168.0.0/24 { > match out on $ext_if inet from 192.168.0.1 to any nat-to > X.Y.Z.1 static-port > match out on $ext_if inet from 192.168.0.2 to any nat-to > X.Y.Z.2 static-port > } > } > > anchor in on $ext_if to X.Y.Z.0/20 { > anchor in on $ext_if to X.Y.Z.0/24 { > match in on $ext_if inet from any to X.Y.Z.1 rdr-to 192.168.0.1 > match in on $ext_if inet from any to X.Y.Z.2 rdr-to 192.168.0.2 > }
Can't help with the anchor thing (I don't see how they would simplify my rulesets so I only use them as places for other programs to hook into the ruleset e.g. ftp-proxy etc). But if the rules are exactly how you show, with 192.168.0.nn and X.Y.Z.nn (same nn for original and translated addresses), are you aware of this in pf.conf(5) which seems tailor-made for this type of configuration? [...] For af-to, nat-to and rdr-to options for which there is a single redirection address which has a subnet mask smaller than 32 for IPv4 or 128 for IPv6 (more than one IP address), a variety of different methods for assigning this address can be used: bitmask The bitmask option applies the network portion of the redirection address to the address to be modified (source with nat-to, destination with rdr-to). [...]