Port redirection just not working!
Jon Simola
jon at abccomm.com
Wed Feb 1 09:25:22 PST 2006
On 2/1/06, Keith Bottner <keith at barkinglizards.com> wrote:
> I am having a problem getting packet filter to redirect incoming traffic
> destined for a specific IP and port to an internal DMZ host.
> rdr pass on $ext_if proto tcp from any to $ext_http_addr port 9874 ->
> $dmz_clip_addr
If you use an RDR to punch traffic to a DMZ host, you also need a NAT
rule in the opposite direction to make sure the traffic reappears from
the same IP. What I'm doing:
rdr on em0 proto tcp from any to $user_mailserver port {pop3, smtp} ->
10.188.0.7
nat on em0 proto tcp from 10.188.0.7 port {pop3, smtp} to any ->
$user_mailserver
rdr on vlan130 proto tcp from vlan130:network to $user_mailserver port
{pop3,smtp} -> 10.188.0.7
nat on vlan130 proto tcp from 10.188.0.7 port {pop3,smtp} to
vlan130:network -> $user_mailserver
Of course, this leads to huge piles of rules but is working great. (2
per server per interface)
--
Jon Simola
Systems Administrator
ABC Communications
More information about the freebsd-pf
mailing list