int_if="en0"
ext_if1="wm0"
ext_if2="wm1"
ext_if3="wm2"
wes_ip="192.168.200.1"
wes_tcp_ports="{4899, 5357, 8000:8999, 10000:49999 }"
wes_udp_ports="{123, 161, 500, 938, 980, 3702, 4500, 5355, 8000:49999}"
nat on $ext_if1 from $int_if:network to any -> ($ext_if1:0)
rdr pass on $ext_if1 inet proto tcp from any to any port $wes_tcp_ports -> $wes_ip flags S/SA synproxy state
rdr pass on $ext_if2 inet proto tcp from any to any port $wes_tcp_ports -> $wes_ip
rdr pass on $ext_if1 inet proto udp from any to any port $wes_udp_ports -> $wes_ip
rdr pass on $ext_if2 inet proto udp from any to any port $wes_udp_ports -> $wes_ip
pass in log all
pfctl -nf
on your ruleset gives me a syntax error on that line, which seems to confirm that unless there's another arrangement that works that I'm unaware of.Thank you! I like your suggestion and will change it to have translation and rules separate.Oh, you're doing "rdr pass" instead of separate 'rdr' and 'pass' rules. I don't think you can do that and specify state types (keep/modulate/synproxy) , as I'm pretty sure you're simply limited to using "pass" or not having it there at all. Runningpfctl -nf
on your ruleset gives me a syntax error on that line, which seems to confirm that unless there's another arrangement that works that I'm unaware of.
What I'd suggest is separating your translation rules from your filtering rules. While it's more concise to keep them together, I'm not a fan of doing so, as combining them bypasses all filtering, including anti-spoofing rules.
Edit: If you want to make sure the 'pass' is only used in conjunction with the 'rdr' rule for additional security, you can use policy based filtering. Search for 'tag' or 'tagged' in the pf.conf(5) man page.