Date: Wed, 3 Nov 2004 19:21:46 +0100 From: Max Laier <max@love2party.net> To: freebsd-pf@freebsd.org, =?iso-8859-1?q?C=E9dric_Jonas?= <cedric@virtual-globe.net> Subject: Re: NAT Loopback Message-ID: <200411031921.53192.max@love2party.net> In-Reply-To: <938471846.20041102145316@virtual-globe.net> References: <938471846.20041102145316@virtual-globe.net>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] [ Sorry for the delay, EuroBSDCon has been demanding - and a lot of FUN! ] Hi Cédric, On Tuesday 02 November 2004 14:53, Cédric Jonas wrote: > Since 5 days, I try to install PF on my Server, to replace my old > hardware router... Until now, everything was ok, better als the old > router - BUT, what I miss is the NAT Loopback functionnality (so > that IP packets which comes from the LAN and are destined to my WAN > IP, leaves effectively the WAN interface and come back through the > WAN interface => the packet is subjected to the filter rulesets for > incoming packets on my WAN interface = NAT Loopback) > I found this in the OpenBSD PF FAQ: > http://www.openbsd.org/faq/pf/rdr.html#rdrnat, but it isn't what I > search, because the packets don't leave and reentry the WAN > interface. You can try to add a rule in the form of: pass in on $internal_if route-to ($external_if $external_ip) \ from any to $external_ip This will loopback all traffic hitting the internal interface destinated to the external IP via the external interface. Be aware of the overhead of this approach. Depending on your setup it might be easier to replicate the desired restrictions for the internal interface. > I hope that one will be able to help me here (and that I described > it understandably), it's my last > possibility I think. It's always helpful to post your ruleset, so that we can tell you where to put new rules or to explain which rules do cause the problem you are seeing. Don't be too afraid to post your rulesets - fortunately *BSD and the default services it provides are a whole lot more secure than seen elsewhere ;) > Sorry for my bad englisch, but I do what I can ;-) Oh c'mon - I've seen worse and that includes me sometime. -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQBBiSHBXyyEoT62BG0RAjb3AJ9/JtLAYXZVnd7n29gUATB+b+eNjQCbBJTf w1sknnBwRzy8NxuPvedeJeA= =DQ1C -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200411031921.53192.max>