From owner-freebsd-pf@FreeBSD.ORG  Wed Feb  1 17:25:22 2006
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 0E3C816A420
	for <freebsd-pf@freebsd.org>; Wed,  1 Feb 2006 17:25:22 +0000 (GMT)
	(envelope-from jsimola@gmail.com)
Received: from uproxy.gmail.com (uproxy.gmail.com [66.249.92.197])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 0FCFD43D6E
	for <freebsd-pf@freebsd.org>; Wed,  1 Feb 2006 17:25:07 +0000 (GMT)
	(envelope-from jsimola@gmail.com)
Received: by uproxy.gmail.com with SMTP id e2so428942ugf
	for <freebsd-pf@freebsd.org>; Wed, 01 Feb 2006 09:25:06 -0800 (PST)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com;
	h=received:message-id:date:from:sender:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references;
	b=GKa8oVEqWV5yR2rq0AwOrLZOD2g6R7Wj41dmBickuH3yNe+6f/8OKxdgq7ncJvKoJpgfrJ6U9z6Enuz7hhvDl7JSy/zYN5Y/H7orneVbNZlig1MdMGLAqMRoiS5eDu26mgSciwL19BHFwdzD9hIE93Mv0dT0H2rEtRisGPHlylk=
Received: by 10.66.233.11 with SMTP id f11mr3943356ugh;
	Wed, 01 Feb 2006 09:25:06 -0800 (PST)
Received: by 10.66.223.13 with HTTP; Wed, 1 Feb 2006 09:25:06 -0800 (PST)
Message-ID: <8eea04080602010925x16640e22h4fb1f121577f405c@mail.gmail.com>
Date: Wed, 1 Feb 2006 09:25:06 -0800
From: Jon Simola <jon@abccomm.com>
Sender: jsimola@gmail.com
To: Keith Bottner <keith@barkinglizards.com>
In-Reply-To: <0be301c62748$624140d0$0e01a8c0@Stile>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
References: <0be301c62748$624140d0$0e01a8c0@Stile>
Cc: freebsd-pf@freebsd.org
Subject: Re: Port redirection just not working!
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Feb 2006 17:25:22 -0000

On 2/1/06, Keith Bottner <keith@barkinglizards.com> wrote:

> I am having a problem getting packet filter to redirect incoming traffic
> destined for a specific IP and port to an internal DMZ host.

> rdr pass on $ext_if proto tcp from any to $ext_http_addr port 9874 ->
> $dmz_clip_addr

If you use an RDR to punch traffic to a DMZ host, you also need a NAT
rule in the opposite direction to make sure the traffic reappears from
the same IP. What I'm doing:

rdr on em0 proto tcp from any to $user_mailserver port {pop3, smtp} ->
10.188.0.7
nat on em0 proto tcp from 10.188.0.7 port {pop3, smtp} to any ->
$user_mailserver

rdr on vlan130 proto tcp from vlan130:network to $user_mailserver port
{pop3,smtp} -> 10.188.0.7
nat on vlan130 proto tcp from 10.188.0.7 port {pop3,smtp} to
vlan130:network -> $user_mailserver

Of course, this leads to huge piles of rules but is working great. (2
per server per interface)

--
Jon Simola
Systems Administrator
ABC Communications