8 Aug 2022, 13:33 by stu.lists@spacehopper.org:
>
>
> Check that the packets from "external clients" are actually hitting
> your pf nat-to rule.
>
> You can check the state table (pfctl -ss -v) - if packets are hitting
> the nat-to rule you will see the natted address - if not then check
> the rule number from the state output and lookup with "pfctl -sr -R
> $rule_number -v" to see which rule they really are hitting.
>
> Or you can use "log" in pf.conf, maybe with "match log(matches)", and
> check "tcpdump -nettipflog0".
>
> I like using "match ... nat-to" rather than putting nat-to on a "pass"
> rule. I find it's easier to deal with.
>
>
Thank you for this and the other suggestions. I will aim to try them out tomorrow and provide some feedback to all.
No comments:
Post a Comment