1. Use the log option in the rules; then tcpdump -eni pflog0 will reveal
what's going on.
2. rdr and nat touch the dest and src addresses before the pass/block
rules filters. It's,therefore, easy to write a rule with the wrong
applicable dest/src address. I, therefore, prefer using tag and tagged
approach.
3. Here's mine...
# ---
table <SrvrSmtpInt> const { a.b.c.d }
table <SrvrSmtpExt> const { e.f.g.h }
#
nat on outside inet proto tcp \
tagged OK_IN2OUT_25 -> (outside:0)
#
rdr on outside inet proto tcp \
from any to (outisde:0) port 25 \
tag OK_OUT2IN_25 -> <SrvrSmtpInt>
#
pass in log quick on outside inet proto tcp \
tagged OK_OUT2IN2_25 flags S/SA keep state
#
pass out log quick on inside inet proto tcp \
tagged OK_OUT2IN_25 flags S/SA keep state
#
pass in log quick on inside inet proto tcp \
from <SrvrSmtpInt> to <SrvrSmtpExt> port 25 \
tag OK_IN2OUT_25 flags S/SA keep state
#
pass out log quick on outside inet proto tcp \
tagged OK_IN2OUT_25 flags S/SA keep state
# ---
Cheers,
-----Original Message-----
From: Jose H. <[EMAIL PROTECTED]>
To: misc@openbsd.org
Subject: IPs on screened network can't see their public IPs
Date: Fri, 15 Feb 2008 22:19:37 -0600
Delivered-To: [EMAIL PROTECTED]
Hi,
I have a screened network with nat+rdr
Using nat I have some like this
nat on $ext_if from $int_server1 to port smtp -> $ext_server1
Using rdr I have:
rdr on $ext_if proto tcp to $ext_sever1 port smtp -> $int_server1
And then:
pass inet proto tcp to { $int_server1, $ext_server1 } port smtp keep state
I also have:
pass inet proto tcp from $int_net to $ext_if:network keep state
The only problem is that the internal servers can't connect to the external IPs
for example:
from $int_server3 to $ext_server1 on smtp
Any help appreciated !
