[pf4freebsd] Re: pf and ipfw
Max Laier
max at love2party.net
Wed Sep 15 21:11:31 PDT 2004
On Tuesday 10 August 2004 14:44, Muhammad Reza wrote:
> # nat outgoing connections on each internet interface
> nat on $ext_if1 from $lan_net to any -> $gw1
> nat on $ext_if2 from $lan_net to any -> $gw2
> nat on $ext_if1 from $dmz_net to any -> $gw1
> nat on $ext_if2 from $dmz_net to any -> $gw2
>
> # smtp access from outside
> rdr on $ext_if proto tcp from any to $server_ext port smtp ->
> $server_dmz port smtp
That can't work! For a client connecting to your smtp that would look like the
following:
1) $client:cport connects to $server_ext:25
2) pf RDRs to $server_dmz:25
3) $server_dmz:sport replies to $client:cport
4) pf NATs to on of $gw1:sport1 or $gw2:sport2
5) $client does not recognize as it is expecting to receive a reply from
$server_ext and not from $gw1 or $gw2
You have to make sure that replies from $server_dmz are translated to
$server_ext.
--
/"\ Best regards, | mlaier at freebsd.org
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | mlaier at EFnet
/ \ ASCII Ribbon Campaign | Against HTML Mail and News
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 194 bytes
Desc: signature
Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20040916/2f439ee8/attachment.bin
More information about the freebsd-pf
mailing list