On 2/1/06, Keith Bottner <[EMAIL PROTECTED]> wrote:
> I am having a problem getting packet filter to redirect incoming traffic
> destined for a specific IP and port to an internal DMZ host.
> rdr pass on $ext_if proto tcp from any to $ext_http_addr port 9874 ->
> $dmz_clip_addr
If you use an RDR to punch traffic to a DMZ host, you also need a NAT
rule in the opposite direction to make sure the traffic reappears from
the same IP. What I'm doing:
rdr on em0 proto tcp from any to $user_mailserver port {pop3, smtp} ->
10.188.0.7
nat on em0 proto tcp from 10.188.0.7 port {pop3, smtp} to any ->
$user_mailserver
rdr on vlan130 proto tcp from vlan130:network to $user_mailserver port
{pop3,smtp} -> 10.188.0.7
nat on vlan130 proto tcp from 10.188.0.7 port {pop3,smtp} to
vlan130:network -> $user_mailserver
Of course, this leads to huge piles of rules but is working great. (2
per server per interface)
--
Jon Simola
Systems Administrator
ABC Communications
_______________________________________________
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
