From owner-freebsd-questions@FreeBSD.ORG Thu Oct 11 22:02:27 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5AA1D16A417 for ; Thu, 11 Oct 2007 22:02:27 +0000 (UTC) (envelope-from jhall@vandaliamo.net) Received: from trueband.net (director.trueband.net [216.163.120.8]) by mx1.freebsd.org (Postfix) with SMTP id D7A2D13C465 for ; Thu, 11 Oct 2007 22:02:26 +0000 (UTC) (envelope-from jhall@vandaliamo.net) Received: (qmail 28947 invoked by uid 1006); 11 Oct 2007 22:02:25 -0000 Received: from jhall@vandaliamo.net by rs0 by uid 1003 with qmail-scanner-1.16 (spamassassin: 3.1.4. Clear:SA:0(-1.4/100.0):. Processed in 0.80464 secs); 11 Oct 2007 22:02:25 -0000 X-Spam-Status: No, hits=-1.4 required=100.0 X-Spam-Level: Received: from unknown (HELO trueband.net) (172.16.0.13) by -v with SMTP; 11 Oct 2007 22:02:24 -0000 Received: (qmail 3834 invoked from network); 11 Oct 2007 22:02:24 -0000 Received: from unknown (HELO admintool.trueband.net) (127.0.0.1) by -v with SMTP; 11 Oct 2007 22:02:24 -0000 Received: from 12.170.206.13 (SquirrelMail authenticated user jhall@vandaliamo.net) by admintool.trueband.net with HTTP; Thu, 11 Oct 2007 22:02:24 -0000 (GMT) Message-ID: <1904.12.170.206.13.1192140144.squirrel@admintool.trueband.net> Date: Thu, 11 Oct 2007 22:02:24 -0000 (GMT) From: jhall@vandaliamo.net To: freebsd-questions@freebsd.org User-Agent: SquirrelMail/1.4.4 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Subject: NAT Question X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Oct 2007 22:02:27 -0000 I have a question regarding ipf and ipnat. I have a firewall with two public IP addresses. One of the IP addresses is for incoming Internet traffic only and the other is for incoming e-mail. I'm not sure why my ISP has done, this, but they have. In otherwords, all incoming http traffic (port 80) will be going to the address 1.2.3.4 and all incoming smtp traffic (port 25) will be going to 1.2.3.5. The internal address of the firewall is 10.129.10.40/24. The webserver has an internal address of 10.129.10.49 and a default gateway of 10.129.10.40 (the firewall). If I use rdr on an incoming connection, will repsonses exit the network on the same interface they entered the firewall on? Following are the rules I would use. ipnat.rules rdr em1 1.2.3.4/32 port 80 -> 10.129.10.49 port 80 tcp ipf.rules pass in on em1 from any to 1.2.3.4 port = 80 keep state pass out on em1 from 1.2.3.4 port = 80 to any keep state Does this solution make sense, or is there a better way to accomplish the same thing? Thanks for your help. Jay