Dear Stuart your reply is very much appriciated ! Thank you for sparing some time to help me out.
I am pasting the rules so you can understand what I did. If I understand correctly I did what you suggest allready! Take a look : Nat - Rdr Rules : nat on $ext_if from { 192.168.0.1 192.168.0.2 192.168.0.3 192.168.0.4 192.168.0.69 192.168.0.227 } to any -> ($ext_if) # rdr on $ext_if proto tcp from any to ($ext_if) port 3389 -> 192.168.0.1 port 3389 rdr on $ext_if proto tcp from any to ($ext_if) port 65500 -> 192.168.0.2port 3389 Filtering Rules : pass in on $ext_if proto tcp from any to any port 3389 keep state pass in on $ext_if inet proto tcp from any to ($ext_if) port 65500 keep state Best Regards Alex On 6/13/06, Stuart Henderson <[EMAIL PROTECTED]> wrote: > > On 2006/06/13 22:57, Alex Stamatis wrote: > > The translation is offcourse BEFORE the filtering ! Any other thoughts > about > > the problem ? > > I don't mean, being listed first in pf.conf. I'm talking about > the order of actions on the packet. > > 1. Packets come into your box addressed to port 65500 > 2. NAT is carried out, port in packet is rewritten to 3389 > 3. Filter is carried out, port in packet says 3389: > - does this match "pass in...to port 65500"? - no. > - does this match "pass in...to port 65501"? - no. > > The pass in rule must be for the *rewritten* port, i.e. 3389 > > If this is hard to understand, forget the separate 'pass in' > rules and just use 'rdr pass'.