On 2020-03-27, Dirk Coetzee <d...@best-it.tech> wrote: > Hi All, > > Without *block return label "block stateless traffic"* and *pass # establish > keep-state*, my NAT / redirect rules from external into LAN do not work. > Neither do rules that permit RDP to Windows Workstations on Tun0 interface. > FWIW: Wireguard uses this tun0 interface.
Without a "block" at the top of the ruleset you're likely to have some traffic passed by the implicit default rule which is equivalent to "pass flags any no state" which will cause some confusion. You don't usually need a "pass" rule near the top though. I'd start with block, then have whatever rules you want. > TCPDump shows the destination IP sending a RST packet. Although the Internal > LAN interface shows no packet passing. That does not quite make sense to me - > but that is what happens. > > I have read online and man pages etc, and all say that the "block return" and > "pass" rules are not necessary. In fact the example given at > https://www.openbsd.org/faq/pf/filter.html does not have these two initial > rules. These default rules were carried over from the /etc/example/pf.conf The PF faq pages haven't been touched very much in years, across many major changes to PF. You're better off looking at the pf.conf(5) manual and testing.
