Date: Wed, 3 Nov 2004 19:21:46 +0100 From: Max Laier <max@love2party.net> To: freebsd-pf@freebsd.org, =?iso-8859-1?q?C=E9dric_Jonas?= <cedric@virtual-globe.net> Subject: Re: NAT Loopback Message-ID: <200411031921.53192.max@love2party.net> In-Reply-To: <938471846.20041102145316@virtual-globe.net> References: <938471846.20041102145316@virtual-globe.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--nextPart6787904.Es3Fh4MT01 Content-Type: text/plain; charset="iso-8859-15" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline [ Sorry for the delay, EuroBSDCon has been demanding - and a lot of FUN! ] Hi C=E9dric, On Tuesday 02 November 2004 14:53, C=E9dric Jonas wrote: > Since 5 days, I try to install PF on my Server, to replace my old > hardware router... Until now, everything was ok, better als the old > router - BUT, what I miss is the NAT Loopback functionnality (so > that IP packets which comes from the LAN and are destined to my WAN > IP, leaves effectively the WAN interface and come back through the > WAN interface =3D> the packet is subjected to the filter rulesets for > incoming packets on my WAN interface =3D NAT Loopback) > I found this in the OpenBSD PF FAQ: > http://www.openbsd.org/faq/pf/rdr.html#rdrnat, but it isn't what I > search, because the packets don't leave and reentry the WAN > interface. You can try to add a rule in the form of: pass in on $internal_if route-to ($external_if $external_ip) \ from any to $external_ip This will loopback all traffic hitting the internal interface destinated to= =20 the external IP via the external interface. Be aware of the overhead of thi= s=20 approach. Depending on your setup it might be easier to replicate the desir= ed=20 restrictions for the internal interface. > I hope that one will be able to help me here (and that I described > it understandably), it's my last > possibility I think. It's always helpful to post your ruleset, so that we can tell you where to = put=20 new rules or to explain which rules do cause the problem you are seeing.=20 Don't be too afraid to post your rulesets - fortunately *BSD and the defaul= t=20 services it provides are a whole lot more secure than seen elsewhere ;) > Sorry for my bad englisch, but I do what I can ;-) Oh c'mon - I've seen worse and that includes me sometime. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart6787904.Es3Fh4MT01 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQBBiSHBXyyEoT62BG0RAjb3AJ9/JtLAYXZVnd7n29gUATB+b+eNjQCbBJTf w1sknnBwRzy8NxuPvedeJeA= =DQ1C -----END PGP SIGNATURE----- --nextPart6787904.Es3Fh4MT01--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200411031921.53192.max>