From owner-freebsd-net@freebsd.org  Thu Apr  4 05:22:50 2019
Return-Path: <owner-freebsd-net@freebsd.org>
Delivered-To: freebsd-net@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id B4BD315630BA
 for <freebsd-net@mailman.ysv.freebsd.org>;
 Thu,  4 Apr 2019 05:22:50 +0000 (UTC)
 (envelope-from artem@viklenko.net)
Received: from alf.viklenko.net (alf.viklenko.net [IPv6:2001:470:71:d72::61])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
 bits))
 (Client CN "*.viklenko.net", Issuer "Art&Co. CA Authority" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id EE68E85D80
 for <freebsd-net@freebsd.org>; Thu,  4 Apr 2019 05:22:49 +0000 (UTC)
 (envelope-from artem@viklenko.net)
Received: from [IPv6:2001:470:71:d72:1208:b1ff:fe93:6f45]
 ([IPv6:2001:470:71:d72:1208:b1ff:fe93:6f45]) (authenticated bits=0)
 by alf.viklenko.net (8.15.2/8.15.2) with ESMTPSA id x345Mipm072324
 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NO)
 for <freebsd-net@freebsd.org>; Thu, 4 Apr 2019 08:22:47 +0300 (EEST)
 (envelope-from artem@viklenko.net)
Subject: Re: need help with ipfw nat to pf nat migration
To: freebsd-net@freebsd.org
References: <20190401033424.GA95019@admin.sibptus.ru>
 <75502aa3-0e10-fbba-d56b-5716e91e7b27@akhmatov.ru>
 <20190402070346.GA15400@admin.sibptus.ru>
 <391e8839-00ce-0d2d-36e7-616c7d86cc30@viklenko.net>
 <20190404043004.GA10861@admin.sibptus.ru>
From: Artem Viklenko <artem@viklenko.net>
Message-ID: <4587c1d4-0fa6-40db-c394-5b3a2ee81646@viklenko.net>
Date: Thu, 4 Apr 2019 08:22:44 +0300
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
 Thunderbird/60.5.3
MIME-Version: 1.0
In-Reply-To: <20190404043004.GA10861@admin.sibptus.ru>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Language: uk-UA
Content-Transfer-Encoding: 8bit
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.6.2
 (alf.viklenko.net [IPv6:2001:470:71:d72:0:0:0:61]);
 Thu, 04 Apr 2019 08:22:47 +0300 (EEST)
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Apr 2019 05:22:50 -0000

04.04.19 07:30, Victor Sudakov пише:
> 
> 1.
> 
>> pass in quick on $int_if inet proto tcp from $server to any flags S/SA keep state allow-opts tag SERVER
> 
> 2.
> 
>> block return-rst out log quick on $mob_if inet proto tcp to any port 25 tagged SERVER
> 
> You have already passed the packet with "quick" in the first rule, it
> probably will never hit the second "block" rule?
> 

No, each rule bound to different interface - i.e. different conditions.


-- 
Regards!