Jason Opperisano wrote: > On Thu, 2004-09-16 at 08:58, Steven S. wrote: > > the above seems to be the result of a blocked packet with "set > block-policy return" or a "block return ..." rule ...SYN goes out but > SYN-ACK coming back in gets a RST...
I have no such policies. It is my understanding that the CARP IP is never used as the source address unless a specific nat/rdr rule is configured or it's a response to a request to the CARP IP. My last few rules are: # Out of this firewall pass out quick on bge0 proto { tcp, udp, icmp } from any to any keep state pass out quick on em0 proto { tcp, udp, icmp } from any to any keep state pass out quick on em1 proto { tcp, udp, icmp } from any to any keep state pass out quick on em2 proto { tcp, udp, icmp } from any to any keep state pass out quick on em3 proto { tcp, udp, icmp } from any to any keep state >> My only thought is to try rdr and nat instead of binat, but binat >> seems cleaner to me. Any thoughts? > > my only thought would be to "telnet 10.0.1.50 25"... NAT is for > machines outside the firewall that don't know any better. the > firewall knows better. Except the host 1.1.1.180 is an mx for the domain I'm trying to get mail to. I suppose I could set up something in /etc/hosts or a split DNS config, but that seems more complicated than it needs to be. Thanks for your time! -Steve S.