packet filter : official documentation not enought, questions remain

From: Guillaume Kaddouch (
Date: 11/22/04

Date: Mon, 22 Nov 2004 14:57:23 +0100


I posted recently asking about how good was OpenBSD, and lastly I did
the jump, formated my Linux gateway, and installed OpenBSD 3.6 instead.

Firstly I am really impressed by this extremely secure OS and all of the
options available to harden it (immutable flags, encrypt swap,
randomization of ISN, etc...).

However, being from the Linux NetFilter school (iptables), I have a hard
time to understand some things about Packet Filter.
I just whish to highlight that I know forwarding/nat/packet
tagging/redirection/Qos and firewalls in general etc... and that only
the syntax and the PF philosophy give me a hard time to begin with it
(being different than NetFilter).

1 - firstly about NAT and "keep state", it is said on the official
documentation that
"nat, binat, and rdr rules implicitly create state for matching
connections as long as the connection is passed by the filter ruleset."
that I understand as the NAT implicitly doing a "keep state", but I am
not sure about what the end of the sentence "as long as the connection
is passed by the filter ruleset" means, if someone can explain me.
A NAT as we know it would simply keep the states, final point, I don't
see what means the end of the sentence (please note that english is not
my native language, so may be something escapes to my understanding
here, and no, I never read the documentation in my language because the
translations are always very bad).

Secondly, what are the benefits to not write a nat rule like "nat pass
on ..." and to use instead the "nat on ..." without the "pass" ?
As I understand, you don't need to let the packets go throught the
filtering rules to apply a "keep state" on outbound packets because it
is already done; unless may be NAT does a "keep state" only and that in
the rules we can override it with a "modulate state" for tcp ?
In this case it would be a benefit to not use the "pass" keyword in the
nat rule.

2 - Then about the keep state feature "modulate state" and the scrub
feature "random-id", the first is for randomizing the "Initial Sequence
Number (ISN) of outgoing connections" and the second for randomizing "IP
identification field of outgoing packets".
Are they the same IP field/feature ?
If not I suppose it would be good to use both ?

3 - I would want to load when I need it a small ruleset and insert it to
the loaded PF rules, and unload it when needed too, without
damaging the loaded rules, and without the need to reload the whole PF
rule sets.
 From what I have read it can be achieved with "anchors" but the
examples provided are not very much of help (at least I didn't
understand to do what I need).
How could I for instance load 2 redirection rules and 2 filtering rules
and unload them when needed ?
With NetFilter there were the switch "-A" for add and "-D" for delete,
it was simple.

4 - Finally, about QoS, I followed the documentation carefully but I
guess that anyway I am doing something wrong.
My purpose is very simple : I am on a LAN behind the BSD gateway, itself
behind a modem/router, and I would want to give priority to a particular
However I have a problem to know which value I need to set for the root
queue, between the modem speed of 65Kb of download or the LAN card of
100Mb ? Does it change anything ? Does I have to do the "altq" on the
external interface or on the lan interface of the gateway ?
Anyway, using either one, launching many downloads on a LAN PC and
trying to give priority to my traffic does not seem to work (let's say
it's a game and I do not want to lag).
Is there a clean and simple example of this ?
(let's say I want to give priority to inbound UDP packets coming from
remote port 10 000 and to destination of my IP).

I know that's a lot of question, and I thanks in advance anyone
answering even just one of them.

Best regards,