* Chris Smith <[EMAIL PROTECTED]> [2005-10-30 15:50]: > On Saturday 29 October 2005 03:34 pm, ed wrote: > > > rdr pass on $ext_if proto tcp from <remote_admin> to $ext_ad3 port > > > ldap -> $server_1 port ldap > > > > > > ...where $server_1 is on the other side of $int_if, still needs a > > > pass out rule on $int_if. The "rdr pass" does not extend through to > > > the destination but only through the interface the rdr rule is > > > applied to. > > > > I think this depends on your block rules. If you have a block rule > > else where, it may not permit the return packets. > > With "pass" added (rdr pass) filtering rules are supposed to be skipped, > so a later block shouldn't matter. Plus, since "rdr" rules keep state > the return trip should be guaranteed - the state table is examined and > filtering rules are skipped.
correct. for that interface. you might still be blocking on the other one. > So it appears that the "pass" and the state keeping only apply to the > named interface and not through to the destination. correct. -- BS Web Services, http://www.bsws.de/ OpenBSD-based Webhosting, Mail Services, Managed Servers, ... Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie)
