On 2008-09-30, Comhte <[EMAIL PROTECTED]> wrote:
> I use ftp-proxy to allow ftp client connexions from my LAN and it works
> well. On my DMZ, i have multiple servers (web,dns,smtp,etc...) and they
> have all one different public IP. So, i use binat rules to nat them
> easily and it works fine too.
> But i need to allow these servers on DMZ to make FTP client connexions
> to external servers too. So I have put a rdr rule like the one i did for
> my lan to make my DMZ servers use the ftp-proxy daemon. But this doesn't
> work, i can only connect to external FTP servers from my DMZ servers if
> disable the binat rule associated with the server which try to connect.
>
> My question is, is there a mean to do what i want to do ? :)
pf.conf(5)
Evaluation order of the translation rules is dependent on the type of the
translation rules and of the direction of a packet. binat rules are al-
ways evaluated first. Then either the rdr rules are evaluated on an in-
bound packet or the nat rules on an outbound packet. Rules of the same
type are evaluated in the same order in which they appear in the ruleset.
The first matching rule decides what action is taken.
So you need to disable the binat rule and use a pair of nat and
rdr instead.
