From owner-freebsd-pf@FreeBSD.ORG Thu Sep 16 04:11:31 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 674) id 2F09316A4CF; Thu, 16 Sep 2004 04:11:31 +0000 (GMT) Delivered-To: mlaier@vampire.homelinux.org Received: (qmail 94358 invoked by alias); 11 Aug 2004 13:52:00 -0000 Delivered-To: unirz@vampire.homelinux.org Received: (qmail 94355 invoked from network); 11 Aug 2004 13:51:59 -0000 Received: from mailstud.rz.uni-karlsruhe.de (129.13.185.210) by pd9e39b01.dip.t-dialin.net with SMTP; 11 Aug 2004 13:51:59 -0000 Received: from spamstud.rz.uni-karlsruhe.de (spamstud.rz.uni-karlsruhe.de [129.13.185.237]) by mailstud.rz.uni-karlsruhe.de with esmtp (Exim 4.34 #1) id 1ButXx-0006oA-N4 for max.laier@stud.uni-karlsruhe.de; Wed, 11 Aug 2004 15:53:41 +0200 Received: from localhost (exim@[127.0.0.1]) by spamstud.rz.uni-karlsruhe.de with spam-scanned (Exim 4.34 #1) id 1ButXx-0000UF-IN for max.laier@stud.uni-karlsruhe.de; Wed, 11 Aug 2004 15:53:41 +0200 Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.184]) by spamstud.rz.uni-karlsruhe.de with esmtp (Exim 4.34 #1) id 1ButXx-0000U4-Fy for max.laier@stud.uni-karlsruhe.de; Wed, 11 Aug 2004 15:53:41 +0200 Received: from [212.227.126.139] (helo=mxng12.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 1ButXx-0001OZ-00 for max.laier@stud.uni-karlsruhe.de; Wed, 11 Aug 2004 15:53:41 +0200 Received: from [206.53.239.180] (helo=turing.freelists.org) by mxng12.kundenserver.de with esmtp (Exim 3.35 #1) id 1ButXx-0003iN-00 for max@love2party.net; Wed, 11 Aug 2004 15:53:41 +0200 Received: from localhost (localhost [127.0.0.1])ESMTP id 688E172C441; Wed, 11 Aug 2004 08:38:02 -0500 (EST) Received: from turing.freelists.org ([127.0.0.1]) by localhost (turing [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 00695-80; Wed, 11 Aug 2004 08:38:02 -0500 (EST) Received: from turing (localhost [127.0.0.1])ESMTP id 9101072C271; Wed, 11 Aug 2004 08:38:01 -0500 (EST) Received: with ECARTIS (v1.0.0; list pf4freebsd); Wed, 11 Aug 2004 08:37:42 -0500 (EST) X-Original-To: pf4freebsd@freelists.org Delivered-To: pf4freebsd@freelists.org Received: from localhost (localhost [127.0.0.1])ESMTP id 6770C72C441 for ; Wed, 11 Aug 2004 08:37:41 -0500 (EST) Received: from turing.freelists.org ([127.0.0.1]) by localhost (turing [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 01477-41 for ; Wed, 11 Aug 2004 08:37:41 -0500 (EST) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.177])ESMTP id C23EA72C2F4 for ; Wed, 11 Aug 2004 08:37:40 -0500 (EST) Received: from [212.227.126.179] (helo=mrelayng.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 1ButXA-00062e-00; Wed, 11 Aug 2004 15:52:52 +0200 Received: from [217.227.155.1] (helo=donor.laier.local) by mrelayng.kundenserver.de with asmtp (TLSv1:RC4-MD5:128) (Exim 3.35 #1) id 1ButX9-0000YR-00; Wed, 11 Aug 2004 15:52:52 +0200 From: Max Laier To: Muhammad Reza User-Agent: KMail/1.6.2 References: <411722A1.1020108@mra.co.id> <200408091840.53308.max@love2party.net> <4118C330.8090609@mra.co.id> In-Reply-To: <4118C330.8090609@mra.co.id> MIME-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg=pgp-sha1; boundary="Boundary-02=_ARiGByjP0e/hAip"; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Message-Id: <200408111550.56346.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de auth:61c499deaeeba3ba5be80f48ecc83056 X-Virus-Scanned: by amavisd-new at freelists.org X-archive-position: 405 X-ecartis-version: Ecartis v1.0.0 Sender: pf4freebsd-bounce@freelists.org Errors-To: pf4freebsd-bounce@freelists.org X-original-sender: max@love2party.net Precedence: normal X-list: pf4freebsd X-Virus-Scanned: by amavisd-new at freelists.org X-Provags-Forward: max@love2party.net -> max.laier@stud.uni-karlsruhe.de X-Scan-Signature: 648f3e5577dfd59cf33db1c2a1d41e57 X-Spam-Checker-Version: SpamAssassin 2.61 (1.212.2.1-2003-12-09-exp) on mail6.rz.uni-karlsruhe.de X-Spam-Status: No, hits=-4.9 required=7.0 tests=BAYES_00 autolearn=no version=2.61 X-Spam-Level: X-UID: 512 X-Length: 6251 X-Mailman-Approved-At: Thu, 16 Sep 2004 04:12:49 +0000 cc: pf4freebsd@freelists.org Subject: [pf4freebsd] Re: pf and ipfw X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Reply-To: pf4freebsd@freelists.org List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Date: Thu, 16 Sep 2004 04:11:31 -0000 X-Original-Date: Wed, 11 Aug 2004 15:50:54 +0200 X-List-Received-Date: Thu, 16 Sep 2004 04:11:31 -0000 --Boundary-02=_ARiGByjP0e/hAip Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Tuesday 10 August 2004 14:44, Muhammad Reza wrote: > # nat outgoing connections on each internet interface > nat on $ext_if1 from $lan_net to any -> $gw1 > nat on $ext_if2 from $lan_net to any -> $gw2 > nat on $ext_if1 from $dmz_net to any -> $gw1 > nat on $ext_if2 from $dmz_net to any -> $gw2 > > # smtp access from outside > rdr on $ext_if proto tcp from any to $server_ext port smtp -> > $server_dmz port smtp That can't work! For a client connecting to your smtp that would look like = the=20 following: 1) $client:cport connects to $server_ext:25 2) pf RDRs to $server_dmz:25 3) $server_dmz:sport replies to $client:cport 4) pf NATs to on of $gw1:sport1 or $gw2:sport2 5) $client does not recognize as it is expecting to receive a reply from=20 $server_ext and not from $gw1 or $gw2 You have to make sure that replies from $server_dmz are translated to=20 $server_ext. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --Boundary-02=_ARiGByjP0e/hAip Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (FreeBSD) iD4DBQBBGiRAXyyEoT62BG0RAvgDAJdTpkMjxrIMDhzX8q07IHDF/286AJ4xaJaA SWdIGfyqllLTXWhCZ/chrA== =uG2n -----END PGP SIGNATURE----- --Boundary-02=_ARiGByjP0e/hAip--