Nat interfering with filtering rules

[Chris Telting]

Hello everyone,

pf newbie here.  I've been playing with rules for a day and I can't seem 
to wrap my head around
what I'm suppose to do.  First off I believe in "block all" and want an 
explicit opt in system.  Nat
is kind of getting in the way.

pf.conf
-------------
int_if="em0"
ext_if="rl0"
int_net="192.168.2.0/24"

# Nat supposedly wants to be at he top of the list
nat on $ext_if from $int_if:network to any -> ($ext_if)

# Block everything, all rules are eqplicitly opt in
block log all
# Allow all local trafic on local network
pass in on $int_if from $int_if:network to any
pass out on $int_if from $int_if:network to any
# Pass out to internet all local network trafic and keep state to allow 
connect
pass out on $ext_if from $int_if:network to any keep state
#pass from any to any

This doesn't work because the packet IP address has already tanslated 
before the filter
could get to it on $ext_if.  If I change the rule to "from $ext_if" I 
can't distinguish between
packets origionating on the local network verses the gateway/server.  
And if I do so anyway
even if I specify "keep state" the returning packets don't get through 
from their external IP
addresses.  Only if I declare explicit pass in rules from specific ip 
addreses will I get return
trafic.  Is there anyway to do with without using a blanket "from any to 
any"?  My first line of
defence is identifiing the trafic source.  Can I possiably change the 
priority of Nat so that it is
the last action processed?

Of course after I get it working I'll add port spefic rules.  I'll 
appreciate any help offered.


Blue