On 2012-11-13, James Chase <ja...@wintercastle.net> wrote:
> Also, is there some catch all that could be created with rules like this?
> Currently we are using this on specific services when we want to be able to
> use the fqdn on a local server without adding the internal ip resolution to
> /etc/hosts:
>
> rdr pass on {$ext_if, $int_if} inet proto tcp from any to $mx4_ext port 25
> -> $mx4_int port 25
>
> nat on $int_if inet proto tcp from 192.168.1.0/24 to $mx4_int port 25 ->
> $int_ifYou don't need to specify port numbers if you want it to apply to every port. > It has the very much less than ideal result of showing the connection coming > from the firewall internal interface though, which makes it harder to know > where incoming connections are really coming from in the logs and such. No way around this without some type of split-horizon DNS. If you're redirecting, the packets *must* go back to the device doing that translation otherwise the return packets from server->client will have the wrong source address so the client will ignore them. I usually try and put machines hosting rdr'd services on a separate subnet to avoid this.. In cases where this isn't practical I usually override the host records on a local name resolver.
