From owner-freebsd-questions@FreeBSD.ORG  Fri Feb  5 22:55:05 2010
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id D453E106566B
	for <freebsd-questions@freebsd.org>;
	Fri,  5 Feb 2010 22:55:05 +0000 (UTC)
	(envelope-from freebsd-questions@m.gmane.org)
Received: from lo.gmane.org (lo.gmane.org [80.91.229.12])
	by mx1.freebsd.org (Postfix) with ESMTP id 905AA8FC1A
	for <freebsd-questions@freebsd.org>;
	Fri,  5 Feb 2010 22:55:05 +0000 (UTC)
Received: from list by lo.gmane.org with local (Exim 4.69)
	(envelope-from <freebsd-questions@m.gmane.org>) id 1NdX4p-0006I5-Ay
	for freebsd-questions@freebsd.org; Fri, 05 Feb 2010 23:55:04 +0100
Received: from 128.111.48.6 ([128.111.48.6])
	by main.gmane.org with esmtp (Gmexim 0.1 (Debian))
	id 1AlnuQ-0007hv-00
	for <freebsd-questions@freebsd.org>; Fri, 05 Feb 2010 23:55:03 +0100
Received: from ludovico.cavedon by 128.111.48.6 with local (Gmexim 0.1
	(Debian)) id 1AlnuQ-0007hv-00
	for <freebsd-questions@freebsd.org>; Fri, 05 Feb 2010 23:55:03 +0100
X-Injected-Via-Gmane: http://gmane.org/
To: freebsd-questions@freebsd.org
From: Ludovico Cavedon <ludovico.cavedon@gmail.com>
Date: Fri, 5 Feb 2010 22:48:12 +0000 (UTC)
Lines: 27
Message-ID: <loom.20100205T234657-208@post.gmane.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-Complaints-To: usenet@ger.gmane.org
X-Gmane-NNTP-Posting-Host: sea.gmane.org
User-Agent: Loom/3.14 (http://gmane.org/)
X-Loom-IP: 128.111.48.6 (Mozilla/5.0 (X11; U; Linux x86_64; en-US;
	rv:1.9.1.7) Gecko/20100106 Ubuntu/9.10 (karmic) Firefox/3.5.7)
Sender: news <news@ger.gmane.org>
Subject: allow-opts on a nat pass rule
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Feb 2010 22:55:05 -0000

Hi all,
I have a freebsd 7.2-RELEASE-p2 firewall with a configuration like this:

#### BEGIN ###
ext_if4="em0"     # public interface
int_if="em1"      # private interface, to be source NATted

nat pass log (to pflog2) on $ext_if4 inet from $int_if:network to ! ($ext_if4)
-> ($ext_if4)
block drop log    # logs to pflog0
pass quick log (to pflog1) on $int_if allow-opts      # private network
pass out from ($ext_if4) allow-opts modulate state    # public network
#### END ###

If I send a packet to a public host from an private one, everything is fine, the
packet arrives at the destination, and is logged by pflog1 and pflog2.

If this packet, however, contains an IP option (e.g. NOP), the packets if
blocked by the firewall, and logged by pflog1 and pflog0.

Looks like it is not possible to specify "allow-opts" for the "nat pass" rules.
Is there any way I can get packets with IP options to be NATted?

Thank you in advance,
Ludovico