[pf4freebsd] Re: pf and ipfw
Muhammad Reza
reza at mra.co.id
Wed Sep 15 21:11:41 PDT 2004
Max Laier wrote:
>On Tuesday 10 August 2004 14:44, Muhammad Reza wrote:
>
>
>># nat outgoing connections on each internet interface
>>nat on $ext_if1 from $lan_net to any -> $gw1
>>nat on $ext_if2 from $lan_net to any -> $gw2
>>nat on $ext_if1 from $dmz_net to any -> $gw1
>>nat on $ext_if2 from $dmz_net to any -> $gw2
>>
>># smtp access from outside
>>rdr on $ext_if proto tcp from any to $server_ext port smtp ->
>>$server_dmz port smtp
>>
>>
>
>That can't work! For a client connecting to your smtp that would look like the
>following:
>1) $client:cport connects to $server_ext:25
>2) pf RDRs to $server_dmz:25
>3) $server_dmz:sport replies to $client:cport
>4) pf NATs to on of $gw1:sport1 or $gw2:sport2
>5) $client does not recognize as it is expecting to receive a reply from
>$server_ext and not from $gw1 or $gw2
>
>You have to make sure that replies from $server_dmz are translated to
>$server_ext.
>
>
>
Thanks list for great response.
to make sure that replies from $server_dmz are tranlated to
$server_ext, i add this line (cmiiw)
nat on $ext_if1 from $dmz_net to any -> $server_ext
This rule says to perform NAT on the $ext_if interface for any packets
coming from $dmz_net and to replace the source IP address with $server_ext.
but still can't work :(. But if add default gateway to internet. it
redirect can work, but not with load balance.
please help me
regards
reza
cmmiw:
More information about the freebsd-pf
mailing list