I (still) have an unresolved issue with my work firewall (1.2-RC2) which I could really use some help with.
To recap, my configuration (which works just fine, but) looks like this, with the last octet xxxed out in strategic places: # ifconfig -a bge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 options=1b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING> inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255 inet6 fe80::21b:24ff:fe2d:b00b%bge0 prefixlen 64 scopeid 0x1 ether 00:1b:24:2d:b0:0b media: Ethernet autoselect (1000baseTX <full-duplex>) status: active bge1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 options=1b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING> inet6 fe80::21b:24ff:fe2d:b00c%bge1 prefixlen 64 scopeid 0x2 inet 10.0.2.6 netmask 0xfffffffc broadcast 10.0.2.7 ether 00:1b:24:2d:b0:0c media: Ethernet autoselect (1000baseTX <full-duplex>) status: active enc0: flags=41<UP,RUNNING> mtu 1536 pflog0: flags=100<PROMISC> mtu 33208 lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384 inet 127.0.0.1 netmask 0xff000000 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 pfsync0: flags=41<UP,RUNNING> mtu 2020 pfsync: syncdev: lo0 syncpeer: 224.0.0.240 maxupd: 128 vlan0: flags=9843<UP,BROADCAST,RUNNING,SIMPLEX,LINK0,MULTICAST> mtu 1500 inet 62.245.148.xxx netmask 0xffffffc0 broadcast 62.245.148.xxx inet6 fe80::21b:24ff:fe2d:b00b%vlan0 prefixlen 64 scopeid 0x7 ether 00:1b:24:2d:b0:0c media: Ethernet autoselect (1000baseTX <full-duplex>) status: active vlan: 3 parent interface: bge1 (the vlan0 is due to a switch VLAN since I can only use 2 NICs out of 4 at the moment, until FreeBSD 7.x lands) and the ISP is rewriting the traffic originating from 10.0.2.6 to appear as if coming from 62.245.254.xxx. # pfctl -s nat nat-anchor "pftpx/*" all nat-anchor "natearly/*" all nat-anchor "natrules/*" all nat on bge1 inet from 192.168.0.0/24 to any -> (bge1) round-robin rdr-anchor "pftpx/*" all rdr-anchor "slb" all no rdr on bge0 proto tcp from any to <vpns> port = ftp rdr on bge0 inet proto tcp from any to any port = ftp -> 127.0.0.1 port 8021 rdr-anchor "imspector" all rdr-anchor "miniupnpd" all What I'm trying to do is to formulate the pf equivalent of (Linux) iptables ... -j SNAT --to-source 62.245.148.xxx I've tried adding some via Firewall->(advanced)NAT->Outbound which resulted in nat on bge1 inet from 192.168.0.0/24 to 62.245.148.xxx -> (bge1) round-robin which has no effect if added to the existing nat on bge1 inet from 192.168.0.0/24 to any -> (bge1) round-robin rule, and if used alone removes connectivity of machines behind NAT (the firewall still works fine, and whenever I check my apparent IP by fetch http://whatismyip.com && cat whatismyip.com | grep 'WhatIsMyIP.com -' it's unchanged). So I'm stuck with doing something stupid, and could really use a rule or a pfctl incantation to try that rule, which does the equivalent of iptables ... -j SNAT --to-source 62.245.148.xxx ? Can I has a nice rule plz? Kthx. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]