From owner-freebsd-net@freebsd.org  Thu Apr  4 06:25:11 2019
Return-Path: <owner-freebsd-net@freebsd.org>
Delivered-To: freebsd-net@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 47FB51564792
 for <freebsd-net@mailman.ysv.freebsd.org>;
 Thu,  4 Apr 2019 06:25:11 +0000 (UTC)
 (envelope-from artem@viklenko.net)
Received: from alf.viklenko.net (alf.viklenko.net [IPv6:2001:470:71:d72::61])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
 bits))
 (Client CN "*.viklenko.net", Issuer "Art&Co. CA Authority" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id 8544C87EF0
 for <freebsd-net@freebsd.org>; Thu,  4 Apr 2019 06:25:10 +0000 (UTC)
 (envelope-from artem@viklenko.net)
Received: from [10.0.2.15] (inet-160-34-121-111.oracle-ocna.com
 [160.34.121.111]) (authenticated bits=0)
 by alf.viklenko.net (8.15.2/8.15.2) with ESMTPSA id x346P3mV076613
 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NO)
 for <freebsd-net@freebsd.org>; Thu, 4 Apr 2019 09:25:08 +0300 (EEST)
 (envelope-from artem@viklenko.net)
Subject: Re: need help with ipfw nat to pf nat migration
To: freebsd-net@freebsd.org
References: <20190401033424.GA95019@admin.sibptus.ru>
 <75502aa3-0e10-fbba-d56b-5716e91e7b27@akhmatov.ru>
 <20190402070346.GA15400@admin.sibptus.ru>
 <391e8839-00ce-0d2d-36e7-616c7d86cc30@viklenko.net>
 <20190404043004.GA10861@admin.sibptus.ru>
 <4587c1d4-0fa6-40db-c394-5b3a2ee81646@viklenko.net>
From: Artem Viklenko <artem@viklenko.net>
Organization: Art&Co.
Message-ID: <27907a35-8cae-06d0-a0e6-b7deb64ecbfd@viklenko.net>
Date: Thu, 4 Apr 2019 09:25:02 +0300
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
 Thunderbird/60.5.0
MIME-Version: 1.0
In-Reply-To: <4587c1d4-0fa6-40db-c394-5b3a2ee81646@viklenko.net>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 8bit
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.6.2
 (alf.viklenko.net [192.168.32.61]); Thu, 04 Apr 2019 09:25:09 +0300 (EEST)
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Apr 2019 06:25:11 -0000

On 04.04.19 08:22, Artem Viklenko via freebsd-net wrote:
> 04.04.19 07:30, Victor Sudakov пише:
>>
>> 1.
>>
>>> pass in quick on $int_if inet proto tcp from $server to any flags S/SA keep 
>>> state allow-opts tag SERVER
>>
>> 2.
>>
>>> block return-rst out log quick on $mob_if inet proto tcp to any port 25 
>>> tagged SERVER
>>
>> You have already passed the packet with "quick" in the first rule, it
>> probably will never hit the second "block" rule?
>>
> 
> No, each rule bound to different interface - i.e. different conditions.

Actually, you should check state-policy in your configuration.
In my firewalls there is already present

set state-policy if-bound

as routing typically static.

"Your mileage may vary"...

-- 
Regards!