Hello all on the pf list,

for a really stupid german ISP I need to setup a binat with  
exceptions. Here is my current setup:

(Internet) -- (cable modem) -- [dhcp] (openbsd-router) [10.10.0.1] --  
[dhcp, 10.10.0.2] -- (Fritz!Box)

and

(openbsd-router) [172.16.1.1] -- [172.16.1.20] (Linux-Server)

What I want to do is redirect everything on every port from external  
ip of openbsd-router to the Fritz!Box on 10.10.0.1, the "Fritz!Box  
quarantine network".
Then I want to redirect a handful of port that are unused by the Fritz!
Box to internal machines on my private net.
And also I want to do nat for the internal private net 172.16.1.0/24.  
The usual stuff.

My solution would be to rdr pass all ports between the handful I want  
to forward to my private net to the Fritz!Box. That would probably  
work as expected, but I thought that binat could be a useful solution  
for not having 65.000 seperate rules (which would suck on an Alix  
board).

How would it work? I guess with the no keyword, but a small working  
example (copy&paste your working pf-rules without private data) would  
help a lot. I already found this thread from September 2008:

http://groups.google.com/group/bit.listserv.openbsd-pf/browse_thread/...

Would Martins example for for my case if ext_ip1 and ext_ip2 were the  
same?

Thanks in advance for any suggestions.

Falk

On 07/04/2009 04:59:21 AM, Falk Husemann wrote:

You could take advantage of the fact that the first
matching translation rule ends the processing,
so put your exceptions first and then a general
catch-all.

Don't forget that because binats are processed
before nats and rdrs a binat rule will cause
ftp-proxy anchors to be ignored.  So use a nat together with an rdr
instead of binat for those ports that ftp-proxy
might use.

Karl <k...@meme.com>
Free Software:  "You don't pay back, you pay forward."
                  -- Robert A. Heinlein