From owner-freebsd-pf@FreeBSD.ORG Fri Jan 11 03:08:27 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A556A16A41A for ; Fri, 11 Jan 2008 03:08:27 +0000 (UTC) (envelope-from fox@verio.net) Received: from dfw-smtpout1.email.verio.net (dfw-smtpout1.email.verio.net [129.250.36.41]) by mx1.freebsd.org (Postfix) with ESMTP id 8651613C4CC for ; Fri, 11 Jan 2008 03:08:27 +0000 (UTC) (envelope-from fox@verio.net) Received: from [129.250.36.63] (helo=dfw-mmp3.email.verio.net) by dfw-smtpout1.email.verio.net with esmtp id 1JDAFu-0000We-Vx for freebsd-pf@freebsd.org; Fri, 11 Jan 2008 03:08:26 +0000 Received: from [129.250.40.241] (helo=limbo.int.dllstx01.us.it.verio.net) by dfw-mmp3.email.verio.net with esmtp id 1JDAFu-00015M-R8 for freebsd-pf@freebsd.org; Fri, 11 Jan 2008 03:08:26 +0000 Received: by limbo.int.dllstx01.us.it.verio.net (Postfix, from userid 1000) id AFDD68E296; Thu, 10 Jan 2008 21:08:26 -0600 (CST) Date: Thu, 10 Jan 2008 21:08:26 -0600 From: David DeSimone To: freebsd-pf@freebsd.org Message-ID: <20080111030826.GP19089@verio.net> Mail-Followup-To: freebsd-pf@freebsd.org References: <4784F7E3.3060508@rodhouse.org> <1199919114.59461.10.camel@xenon> <1a5f1a2d0801100501j664f6b81sebe866b986a05500@mail.gmail.com> <1199977668.36543.12.camel@xenon> <1a5f1a2d0801100910r1316d24dibb2b12720dfda207@mail.gmail.com> <1200009515.36543.27.camel@xenon> <1a5f1a2d0801101837r338b5453m7a8f673e3b03833e@mail.gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; x-action=pgp-signed Content-Disposition: inline In-Reply-To: <1a5f1a2d0801101837r338b5453m7a8f673e3b03833e@mail.gmail.com> Precedence: bulk User-Agent: Mutt/1.5.9i Subject: Re: Forwarding another host X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Jan 2008 03:08:27 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Rodrique Heron wrote: > > INTERNET > | > PIX Firewall > | > SWITCH*---*HOSTA 192.168.2.14 > * > | > * > HOSTB 192.168.2.27 > > ### /etc/pf.conf > ext_if = "em0" > int_if = "lo0" > > host_ip = " 192.168.2.14" > jail_ip = "192.168.2.18" > external_host = "192.168.2.27" > > rdr on $ext_if proto tcp from any to $host_ip port 22 -> $external_host port 22 > rdr on $ext_if proto tcp from any to $host_ip port 26 -> $jail_ip port 22 > > pass in quick all > pass out quick all NAT is always a two-way street. PF must not only translate packets sent to another host, it must also receive and translate the REPLY packets from that host. In the scenario you paint above, HOSTB will receive packets from HOSTA, but when generating a reply, the reply will beypass HOSTA and go directly back to the PIX firewall. It works in a jail because the jail is "inside" HOSTA and so all reply traffic from the jail gets seen by HOSTA before going to the network. Seems to me it would be easier to get the PIX firewall to send traffic to HOSTB instead of HOSTA. If that device is outside your control, probably the easiest thing for you to do is set up a generic proxy, like "redir" or similar, to copy traffic over secondary connection to HOSTB. - -- David DeSimone == Network Admin == fox@verio.net "This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, dis- tribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio, Inc. makes no warranty that this email is error or virus free. Thank you." --Lawyer Bot 6000 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFHht2qFSrKRjX5eCoRAiclAJ4o6K2FlPi2E0JzV6j8oMlAMa9ApACeNIOi MvV4FUbvBEejzzCLhzEPpf8= =L3iu -----END PGP SIGNATURE-----