On Saturday 29 October 2005 03:34 pm, ed wrote: > > rdr pass on $ext_if proto tcp from <remote_admin> to $ext_ad3 port > > ldap -> $server_1 port ldap > > > > ...where $server_1 is on the other side of $int_if, still needs a > > pass out rule on $int_if. The "rdr pass" does not extend through to > > the destination but only through the interface the rdr rule is > > applied to. > > I think this depends on your block rules. If you have a block rule > else where, it may not permit the return packets.
With "pass" added (rdr pass) filtering rules are supposed to be skipped, so a later block shouldn't matter. Plus, since "rdr" rules keep state the return trip should be guaranteed - the state table is examined and filtering rules are skipped. So it appears that the "pass" and the state keeping only apply to the named interface and not through to the destination. Chris
