On 2014-06-26, Tuyosi Takesima <nakajin.fu...@gmail.com> wrote: > I pick > ------------------------------ > # match rules > match out on egress inet from !(egress:network) to any nat-to (egress:0) > ------------------------------- > from http://www.openbsd.org/faq/pf/example1.html > > But, this match rules don't work . > > accordin to man pf.conf > 10.0.0.0 - 10.255.255.255 (all of net 10, i.e. 10/8) > 172.16.0.0 - 172.31.255.255 (i.e. 172.16/12) > 192.168.0.0 - 192.168.255.255 (i.e. 192.168/16)
> nat-to is usually applied outbound. If applied inbound, nat-to > to a local IP address is not supported. "applied outbound" means a rule using "match out" "applied inbound" means a rule using "match in" So this does not apply to you anyway because your nat-to rule is "applied outbound". "local IP address" means an "IP address on the machine running PF" If you show output "pfctl -sr" and "ifconfig -A" and "sysctl net.inet.ip.forwarding" we may be able to help further.
