[pf4freebsd] Re: pf and ipfw
sam
samwun at hgdbroadband.com
Wed Sep 15 21:11:46 PDT 2004
Muhammad Reza wrote:
> Max Laier wrote:
>
>> On Tuesday 10 August 2004 14:44, Muhammad Reza wrote:
>>
>>
>>> # nat outgoing connections on each internet interface
>>> nat on $ext_if1 from $lan_net to any -> $gw1
>>> nat on $ext_if2 from $lan_net to any -> $gw2
>>> nat on $ext_if1 from $dmz_net to any -> $gw1
>>> nat on $ext_if2 from $dmz_net to any -> $gw2
>>>
>>> # smtp access from outside
>>> rdr on $ext_if proto tcp from any to $server_ext port smtp ->
>>> $server_dmz port smtp
>>>
>>
>>
>> That can't work! For a client connecting to your smtp that would look
>> like the following:
>> 1) $client:cport connects to $server_ext:25
>> 2) pf RDRs to $server_dmz:25
>> 3) $server_dmz:sport replies to $client:cport
>> 4) pf NATs to on of $gw1:sport1 or $gw2:sport2
>> 5) $client does not recognize as it is expecting to receive a reply
>> from $server_ext and not from $gw1 or $gw2
>>
>> You have to make sure that replies from $server_dmz are translated to
>> $server_ext.
>>
>>
>>
> Thanks list for great response.
>
> to make sure that replies from $server_dmz are tranlated to
> $server_ext, i add this line (cmiiw)
>
> nat on $ext_if1 from $dmz_net to any -> $server_ext
>
> This rule says to perform NAT on the $ext_if interface for any packets
> coming from $dmz_net and to replace the source IP address with
> $server_ext.
>
> but still can't work :(. But if add default gateway to internet. it
> redirect can work, but not with load balance.
> please help me
>
How about use "sticky" and "source-hash" in the rule?
sam
More information about the freebsd-pf
mailing list