From owner-freebsd-pf@FreeBSD.ORG Thu Sep 16 04:11:41 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 674) id 3A18216A4D0; Thu, 16 Sep 2004 04:11:41 +0000 (GMT) Delivered-To: mlaier@vampire.homelinux.org Received: (qmail 735 invoked by alias); 12 Aug 2004 03:58:52 -0000 Delivered-To: unirz@vampire.homelinux.org Received: (qmail 732 invoked from network); 12 Aug 2004 03:58:51 -0000 Received: from mailstud.rz.uni-karlsruhe.de (129.13.185.210) by pd9e39b01.dip.t-dialin.net with SMTP; 12 Aug 2004 03:58:51 -0000 Received: from spamstud.rz.uni-karlsruhe.de (spamstud.rz.uni-karlsruhe.de [129.13.185.237]) by mailstud.rz.uni-karlsruhe.de with esmtp (Exim 4.34 #1) id 1Bv6lZ-0008VB-6i for max.laier@stud.uni-karlsruhe.de; Thu, 12 Aug 2004 06:00:37 +0200 Received: from localhost (exim@[127.0.0.1]) by spamstud.rz.uni-karlsruhe.de with spam-scanned (Exim 4.34 #1) id 1Bv6lY-00070l-Vt for max.laier@stud.uni-karlsruhe.de; Thu, 12 Aug 2004 06:00:37 +0200 Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.185]) by spamstud.rz.uni-karlsruhe.de with esmtp (Exim 4.34 #1) id 1Bv6lY-00070a-TM for max.laier@stud.uni-karlsruhe.de; Thu, 12 Aug 2004 06:00:36 +0200 Received: from [212.227.126.159] (helo=mxng09.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 1Bv6lY-0000N9-00 for max.laier@stud.uni-karlsruhe.de; Thu, 12 Aug 2004 06:00:36 +0200 Received: from [206.53.239.180] (helo=turing.freelists.org) by mxng09.kundenserver.de with esmtp (Exim 3.35 #1) id 1Bv6lY-0004EN-00 for max@love2party.net; Thu, 12 Aug 2004 06:00:37 +0200 Received: from localhost (localhost [127.0.0.1])ESMTP id 290BC72C06C; Wed, 11 Aug 2004 22:44:52 -0500 (EST) Received: from turing.freelists.org ([127.0.0.1]) by localhost (turing [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 00442-90; Wed, 11 Aug 2004 22:44:51 -0500 (EST) Received: from turing (localhost [127.0.0.1])ESMTP id 2F39472C20A; Wed, 11 Aug 2004 22:44:51 -0500 (EST) Received: with ECARTIS (v1.0.0; list pf4freebsd); Wed, 11 Aug 2004 22:44:34 -0500 (EST) X-Original-To: pf4freebsd@freelists.org Delivered-To: pf4freebsd@freelists.org Received: from localhost (localhost [127.0.0.1])ESMTP id 2863472C06C for ; Wed, 11 Aug 2004 22:44:34 -0500 (EST) Received: from turing.freelists.org ([127.0.0.1]) by localhost (turing [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 32527-92 for ; Wed, 11 Aug 2004 22:44:34 -0500 (EST) Received: from mx3.mra.co.id (unknown [202.138.255.170]) ESMTP id 435EA72C028 for ; Wed, 11 Aug 2004 22:44:33 -0500 (EST) Received: from localhost (localhost.mra.co.id [127.0.0.1]) by mx3.mra.co.id (Postfix) with ESMTP id 77DE92E0C2 for ; Thu, 12 Aug 2004 11:22:16 +0700 (WIT) Received: from mx3.mra.co.id ([127.0.0.1]) by localhost (mx3.mra.co.id [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 41632-25 for ; Thu, 12 Aug 2004 11:22:16 +0700 (WIT) Received: from mail.mra.co.id (unknown [172.16.0.25]) by mx3.mra.co.id (Postfix) with ESMTP id EF40C2E0B4 for ; Thu, 12 Aug 2004 11:22:15 +0700 (WIT) Received: from mra.co.id ([172.16.0.228]) by mail.mra.co.id with Microsoft SMTPSVC(5.0.2195.3779); Thu, 12 Aug 2004 10:55:46 +0700 Message-ID: <411AEAE5.9080106@mra.co.id> From: Muhammad Reza User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.6) Gecko/20040429 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Max Laier References: <411722A1.1020108@mra.co.id> <200408091840.53308.max@love2party.net> <4118C330.8090609@mra.co.id> <200408111550.56346.max@love2party.net> In-Reply-To: <200408111550.56346.max@love2party.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 12 Aug 2004 03:55:46.0880 (UTC) FILETIME=[3FAC9400:01C48020] X-Virus-Scanned: by amavisd-new at mra.co.id X-Virus-Scanned: by amavisd-new at freelists.org X-archive-position: 407 X-ecartis-version: Ecartis v1.0.0 Sender: pf4freebsd-bounce@freelists.org Errors-To: pf4freebsd-bounce@freelists.org X-original-sender: reza@mra.co.id Precedence: normal X-list: pf4freebsd X-Virus-Scanned: by amavisd-new at freelists.org X-Provags-Forward: max@love2party.net -> max.laier@stud.uni-karlsruhe.de X-Scan-Signature: c0869f30fcb1900e6377e146dcf5af39 X-Spam-Checker-Version: SpamAssassin 2.61 (1.212.2.1-2003-12-09-exp) on mail6.rz.uni-karlsruhe.de X-Spam-Status: No, hits=-0.7 required=7.0 tests=BAYES_10 autolearn=no version=2.61 X-Spam-Level: X-UID: 514 X-Length: 6497 X-Mailman-Approved-At: Thu, 16 Sep 2004 04:12:49 +0000 cc: pf4freebsd@freelists.org Subject: [pf4freebsd] Re: pf and ipfw X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Reply-To: pf4freebsd@freelists.org List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Date: Thu, 16 Sep 2004 04:11:41 -0000 X-Original-Date: Thu, 12 Aug 2004 10:58:29 +0700 X-List-Received-Date: Thu, 16 Sep 2004 04:11:41 -0000 Max Laier wrote: >On Tuesday 10 August 2004 14:44, Muhammad Reza wrote: > > >># nat outgoing connections on each internet interface >>nat on $ext_if1 from $lan_net to any -> $gw1 >>nat on $ext_if2 from $lan_net to any -> $gw2 >>nat on $ext_if1 from $dmz_net to any -> $gw1 >>nat on $ext_if2 from $dmz_net to any -> $gw2 >> >># smtp access from outside >>rdr on $ext_if proto tcp from any to $server_ext port smtp -> >>$server_dmz port smtp >> >> > >That can't work! For a client connecting to your smtp that would look like the >following: >1) $client:cport connects to $server_ext:25 >2) pf RDRs to $server_dmz:25 >3) $server_dmz:sport replies to $client:cport >4) pf NATs to on of $gw1:sport1 or $gw2:sport2 >5) $client does not recognize as it is expecting to receive a reply from >$server_ext and not from $gw1 or $gw2 > >You have to make sure that replies from $server_dmz are translated to >$server_ext. > > > Thanks list for great response. to make sure that replies from $server_dmz are tranlated to $server_ext, i add this line (cmiiw) nat on $ext_if1 from $dmz_net to any -> $server_ext This rule says to perform NAT on the $ext_if interface for any packets coming from $dmz_net and to replace the source IP address with $server_ext. but still can't work :(. But if add default gateway to internet. it redirect can work, but not with load balance. please help me regards reza cmmiw: