Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 16 Sep 2004 04:11:31 -0000
From:      Max Laier <max@love2party.net>
To:        Muhammad Reza <reza@mra.co.id>
Cc:        pf4freebsd@freelists.org
Subject:   [pf4freebsd] Re: pf and ipfw
Message-ID:  <200408111550.56346.max@love2party.net>
In-Reply-To: <4118C330.8090609@mra.co.id>
References:  <411722A1.1020108@mra.co.id> <200408091840.53308.max@love2party.net> <4118C330.8090609@mra.co.id>
next in thread | previous in thread | raw e-mail | index | archive | help 

--Boundary-02=_ARiGByjP0e/hAip
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

On Tuesday 10 August 2004 14:44, Muhammad Reza wrote:
> #  nat outgoing connections on each internet interface
> nat on $ext_if1 from $lan_net to any -> $gw1
> nat on $ext_if2 from $lan_net to any -> $gw2
> nat on $ext_if1 from $dmz_net to any -> $gw1
> nat on $ext_if2 from $dmz_net to any -> $gw2
>
> # smtp access from outside
> rdr on $ext_if proto tcp from any to $server_ext port smtp ->
> $server_dmz port smtp

That can't work! For a client connecting to your smtp that would look like =
the=20
following:
1) $client:cport connects to $server_ext:25
2) pf RDRs to $server_dmz:25
3) $server_dmz:sport replies to $client:cport
4) pf NATs to on of $gw1:sport1 or $gw2:sport2
5) $client does not recognize as it is expecting to receive a reply from=20
$server_ext and not from $gw1 or $gw2

You have to make sure that replies from $server_dmz are translated to=20
$server_ext.

=2D-=20
/"\  Best regards,			| mlaier@freebsd.org
\ /  Max Laier				| ICQ #67774661
 X   http://pf4freebsd.love2party.net/	| mlaier@EFnet
/ \  ASCII Ribbon Campaign		| Against HTML Mail and News

--Boundary-02=_ARiGByjP0e/hAip
Content-Type: application/pgp-signature
Content-Description: signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (FreeBSD)

iD4DBQBBGiRAXyyEoT62BG0RAvgDAJdTpkMjxrIMDhzX8q07IHDF/286AJ4xaJaA
SWdIGfyqllLTXWhCZ/chrA==
=uG2n
-----END PGP SIGNATURE-----

--Boundary-02=_ARiGByjP0e/hAip--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200408111550.56346.max>