NAT replies not triggering pf rule

Sun, 25 Oct 2015 10:34:17 -0700

I've worked with this off and on for some time, but still don't know what I'm not doing correctly.
I want to set queues to limit bandwidth for the streaming media devices on my home network. Unfortunately, the "pass out" rules on my internal network (external is PPPoE) don't ever trip for replies received from the world. 


The rule set below includes "match" lines so I can watch the 
bidirectional traffic. Traffic that comes into my OpenBSD box from the 
internal network on interface gem0 triggers the match rules. Replies 
received from across the NAT never trigger rules for the other 
direction. I've confirmed this with both "systat rules" and "pfctl -ss -v".


What am I missing?

OpenBSD version is 5.8 macppc.

block drop in log on egress all
block return in on ! lo0 proto tcp from any to any port 6000:6010
match on egress all scrub (no-df random-id reassemble tcp max-mss 1440)

pass out on egress from (self) to any flags S/SA nat-to (egress:0) 
round-robin
pass out on egress inet from 192.168.1.0/24 to any received-on gem0 
flags S/SA nat-to (egress:0) round-robin

block drop in quick on ! lo inet6 from ::1 to any
block drop in quick on ! lo inet from 127.0.0.0/8 to any
block drop in quick inet from 127.0.0.1 to any
block drop in quick on ! gem0 inet from 192.168.1.0/24 to any
block drop in quick inet from 192.168.1.1 to any
block drop in quick on lo0 inet6 from fe80::1 to any
block drop in quick inet6 from ::1 to any

pass in on egress inet proto icmp from ! (egress) to (egress) icmp-type 
echoreq code 0
pass in on egress inet proto icmp from ! (egress) to (egress) icmp-type 
unreach code needfrag
pass in log on egress inet proto tcp from ! (egress) to (egress) port = 
8022 flags S/SA modulate state rdr-to 127.0.0.1 port 8022
pass in on egress inet proto udp from ! (egress) to (egress) port = 1194 
rdr-to 127.0.0.1

pass in on gem0 all flags S/SA

pass in on gem0 inet proto tcp from 192.168.1.0/24 to 192.168.1.1 port = 
22 flags S/SA modulate state rdr-to 127.0.0.1 port 8022

block drop out on gem0 all
match on gem0 inet from any to 192.168.1.64 # THESE THREE
match on gem0 inet from any to 192.168.1.57 # DO NOT
match on gem0 inet from any to 192.168.1.62 # TRIGGER
match on gem0 inet from 192.168.1.64 to any # these
match on gem0 inet from 192.168.1.57 to any # three
match on gem0 inet from 192.168.1.62 to any # trigger
pass out on gem0 inet from any to 192.168.1.0/24 flags S/SA























					Reply via email to