Jason Opperisano wrote:
> On Thu, 2004-09-16 at 08:58, Steven S. wrote:
>
> the above seems to be the result of a blocked packet with "set
> block-policy return" or a "block return ..." rule ...SYN goes out but
> SYN-ACK coming back in gets a RST...
I have no such policies. It is my understanding that the CARP IP is never
used as the source address unless a specific nat/rdr rule is configured or
it's a response to a request to the CARP IP. My last few rules are:
# Out of this firewall
pass out quick on bge0 proto { tcp, udp, icmp } from any to any keep
state
pass out quick on em0 proto { tcp, udp, icmp } from any to any keep
state
pass out quick on em1 proto { tcp, udp, icmp } from any to any keep state
pass out quick on em2 proto { tcp, udp, icmp } from any to any keep state
pass out quick on em3 proto { tcp, udp, icmp } from any to any keep state
>> My only thought is to try rdr and nat instead of binat, but binat
>> seems cleaner to me. Any thoughts?
>
> my only thought would be to "telnet 10.0.1.50 25"... NAT is for
> machines outside the firewall that don't know any better. the
> firewall knows better.
Except the host 1.1.1.180 is an mx for the domain I'm trying to get mail to.
I suppose I could set up something in /etc/hosts or a split DNS config, but
that seems more complicated than it needs to be.
Thanks for your time!
-Steve S.
