帶有 NAT 和埠轉發的 OpenBSD 5.0 pf

埠轉發似乎無法正常工作，傳入連接顯然被阻止。

我的 pf.conf 有問題嗎？

# Performance limits
set limit states 200000
set limit src-nodes 200000
set limit frags 1000000
set limit tables 20000
set limit table-entries 40000000

set skip on lo

ext_if = "re0"
int_if = "em0"

# Add UPnP rules
#anchor miniupnpd

server = "192.168.1.250"
server_tcp = "{22, 8887, 9001, 9030}"
server_udp = "{8887, 9001, 9030}"

wwwserver = "192.168.1.99"
wwwserver_tcp = "{80, 443}"
wwwserver_udp = "{}"

x79 = "192.168.1.100"
x79_tcp = "{18887 }" 
x79_udp = "{18887 }"

t420 = "192.168.1.251"
t420_tcp = "{9222 }"
t420_udp = "{9222 }"

## Bad syntax warnings.. ignore for the moment
#all_tcp = "{ $server_tcp $wwwserver_tcp $x79_tcp $t420_tcp }"
#all_udp = "{ $server_udp $wwwserver_udp $x79_udp $t420_udp }"
#pass out on $ext_if proto tcp to port $all_tcp
#pass out on $ext_if proto udp to port $all_udp


# Default rules
pass #to establish keep-state
block in on $ext_if
#pass in keep state
#pass out keep state


# Nat
pass out on $ext_if from $int_if:network to any nat-to ($ext_if) 

pass in on $ext_if proto tcp from any to any port $server_tcp rdr-to $server
pass in on $ext_if proto udp from any to any port $server_udp rdr-to $server

pass in on $ext_if proto tcp from any to any port $wwwserver_tcp rdr-to $wwwserver
#pass in on $ext_if proto udp from any to any port $wwwserver_udp rdr-to $wwwserver

pass in on $ext_if proto tcp from any to any port $x79_tcp rdr-to $x79
pass in on $ext_if proto udp from any to any port $x79_udp rdr-to $x79

pass in on $ext_if proto tcp from any to any port $t420_tcp rdr-to $t420
pass in on $ext_if proto udp from any to any port $t420_udp rdr-to $t420

我找到了解決方案。rdr-to 後面必須跟 ip 和 port 類似 ‘rdr-to $ ip port $ 港口’

# OpenBSD: pf.conf,v 1.50 2011/04/28 00:19:42 mikeb Exp $
#
# See pf.conf(5) for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.

# Resource limits ## root of all evil
set limit states 200000
set limit src-nodes 200000
set limit frags 1000000
set limit tables 20000
set limit table-entries 40000000
#set state-policy if-bound


set skip on lo

ext_if = "re0"
int_if = "em0"

# Add UPnP rules
anchor miniupnpd

server = "192.168.1.250"
wwwserver = "192.168.1.99"
x79 = "192.168.1.100"
t420 = "192.168.1.251"


# Default rules
pass #to establish keep-state
block in on $ext_if


# Nat
pass out on $ext_if from $int_if:network to !$int_if:network nat-to ($ext_if) 

pass in on $ext_if proto tcp from any to any port 22 rdr-to $server port 22
pass in on $ext_if proto {tcp, udp} from any to any port 8887 rdr-to $server port 8887
pass in on $ext_if proto {tcp, udp} from any to any port 9001 rdr-to $server port 9001
pass in on $ext_if proto {tcp, udp} from any to any port 9030 rdr-to $server port 9030

pass in on $ext_if proto tcp from any to any port 80 rdr-to $wwwserver port 80
pass in on $ext_if proto tcp from any to any port 443 rdr-to $wwwserver port 443

pass in on $ext_if proto {tcp, udp} from any to any port 18887 rdr-to $x79 port 18887

pass in on $ext_if proto {tcp, udp} from any to any port 9222 rdr-to $t420 port 9222

引用自：https://serverfault.com/questions/346934