PF PF rdr pass question

[Sylgeist]

Can I get confirmation of my understanding of the FreeBSD pf? I'm trying to rdr a port using:

rdr pass inet proto tcp from any to $ext_if port X -> $int_ip

That works fine, but I was hoping to add options like (max-src-conn 10) to the rule. Am I correct that I would need to split out the redirect and pass rule to do that?

Thanks!

 

[SirDice]

Am I correct that I would need to split out the redirect and pass rule to do that?

Yes. The rdr pass causes all other filter rules to be ignored. And you can't add those options to the rdr pass line.

     If the pass modifier is given, packets matching the translation rule are
     passed without inspecting the filter rules:

 

[Sylgeist]

Thank you sirdice! I can't believe I blew right past that in the man page...

 

[SirDice]

It's easy to overlook. It's one line in a very large man page