From owner-freebsd-questions@FreeBSD.ORG Fri Dec 4 17:00:20 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CB955106566B for ; Fri, 4 Dec 2009 17:00:20 +0000 (UTC) (envelope-from nalists@scls.lib.wi.us) Received: from cosmail.scls.lib.wi.us (cosmail.scls.lib.wi.us [198.150.40.25]) by mx1.freebsd.org (Postfix) with ESMTP id 997CE8FC25 for ; Fri, 4 Dec 2009 17:00:20 +0000 (UTC) Received: from [10.100.99.67] ([10.100.99.67]) by cosmail.scls.lib.wi.us (8.14.3/8.14.3) with ESMTP id nB4GfMNr090078 for ; Fri, 4 Dec 2009 10:41:22 -0600 (CST) (envelope-from nalists@scls.lib.wi.us) Message-ID: <4B193BB0.5000806@scls.lib.wi.us> Date: Fri, 04 Dec 2009 10:41:20 -0600 From: Greg Barniskis User-Agent: Thunderbird 2.0.0.21 (Windows/20090302) MIME-Version: 1.0 To: FreeBSD Questions Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: PF binat rule issue - feature or bug? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Dec 2009 17:00:20 -0000 Using 7.2-RELEASE-p4 i386 with GENERIC kernel, I've found (the hard way) that if I have a pf.conf rule like nat on $ext_if proto { tcp udp icmp } from $my_subnet \ to any -> some.public.ip.num then pfctl will perform the expected expansion of the listed protocols into three separate NAT rules. However, if I have a rule like binat on $ext_if proto { tcp udp icmp } from $server_dmz_ip \ to any -> $server_public_ip then I will /only/ get one NAT rule, for TCP. Then things like NTP, DNS and ping will fail, but the filtering rules that permit such traffic will increment their byte, packet and state counters like PF is working just fine (and I suppose in some sense that the filtering part is). But only if I explicitly declare in pf.conf a separate binat rule for each desired protocol, instead of listing them, will things work as needed. Feature or bug? If the former, it is not well documented that I could see. I expected that a list of protocols for a binat rule would just work, and pfctl certainly didn't mark it as bad syntax. If a bug, is this a FreeBSD bug or OpenBSD?