On 2006/06/13 22:57, Alex Stamatis wrote: > The translation is offcourse BEFORE the filtering ! Any other thoughts about > the problem ?
I don't mean, being listed first in pf.conf. I'm talking about the order of actions on the packet. 1. Packets come into your box addressed to port 65500 2. NAT is carried out, port in packet is rewritten to 3389 3. Filter is carried out, port in packet says 3389: - does this match "pass in...to port 65500"? - no. - does this match "pass in...to port 65501"? - no. The pass in rule must be for the *rewritten* port, i.e. 3389 If this is hard to understand, forget the separate 'pass in' rules and just use 'rdr pass'.
