J.C. Roberts wrote:
match out on ? proto tcp from ? to any port ftp \
rdr-to 127.0.0.1 port 8021
You can't do that. rdr-to only works on input.
Without testing it, I don't know how the potential loop can be avoided,
or if it even needs to be avoided (note the "match out" example for
isakmp in the pf.conf(5) man page).
That example uses nat-to, which only works on output.
Simon
--
NAT64/DNS64 open-source --> http://ecdysis.viagenie.ca
STUN/TURN server --> http://numb.viagenie.ca
vCard 4.0 --> http://www.vcarddav.org
