From owner-freebsd-pf@FreeBSD.ORG Wed Sep 14 16:53:20 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1BEE71065724 for ; Wed, 14 Sep 2011 16:53:20 +0000 (UTC) (envelope-from ml@my.gd) Received: from mail-bw0-f54.google.com (mail-bw0-f54.google.com [209.85.214.54]) by mx1.freebsd.org (Postfix) with ESMTP id A92D88FC17 for ; Wed, 14 Sep 2011 16:53:19 +0000 (UTC) Received: by bkbzs8 with SMTP id zs8so2122540bkb.13 for ; Wed, 14 Sep 2011 09:53:18 -0700 (PDT) Received: by 10.204.130.153 with SMTP id t25mr21431bks.266.1316017675080; Wed, 14 Sep 2011 09:27:55 -0700 (PDT) Received: from dfleuriot-at-hi-media.com ([83.167.62.196]) by mx.google.com with ESMTPS id fc13sm387111bkc.0.2011.09.14.09.27.53 (version=SSLv3 cipher=OTHER); Wed, 14 Sep 2011 09:27:54 -0700 (PDT) Message-ID: <4E70D60C.2080202@my.gd> Date: Wed, 14 Sep 2011 18:27:56 +0200 From: Damien Fleuriot User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:6.0.2) Gecko/20110902 Thunderbird/6.0.2 MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Re: pf port redirection wierd behavior X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Sep 2011 16:53:20 -0000 On 9/2/11 12:26 PM, Victor Nagoryanskii wrote: > Hello! > I've noticed wierd behavior of pf port redirection. I have FreeBSD 8.2 box > which nat'ed my lan. There are some http/mail servers presented in lan, tcp > port redirection work fine, but udp redirection to my H323 enabled device is > strange. > > When I initialising call , replied udp packets successfully redirected to > my h323 device, but if call is initialising from outside to me - > redirection just not work (I can't hear remote peer). I see udp packets hit > to my ext_if , but nothing appear in lan_if. > > > pf.conf > > nat pass on $inet_if from $lan_net to any -> $inet_if > rdr pass on $inet_if proto tcp from any to $inet_ip port {25,80} -> 10.0.0.2 > # Work fine > rdr pass on $inet_if proto tcp from any to $inet_ip port 1720 -> 10.0.0.4 # > Work fine > rdr pass on $inet_if proto udp from any to $inet_ip port 2048:2063 -> > 10.0.0.4 # Work only if I initialising call > > pass all > > Also I tried to adjust udp session timer: > > set timeout udp.first 300 > set timeout udp.single 150 > set timeout udp.multiple 900 > > Is this pf bug or I something misconfigured pf.conf? There's no reason your UDP rdr rule shouldn't work. You should run tcpdump on the target machine listening at 10.0.0.4 to check whether packets arrive or not: tcpdump -ni eth0 ip and port 2048 I don't understand your "if I initialising call" statement.