charles Collin wrote:
# NAT section
binat on ext_if from 10.0.0.B to any -> X.Y.Z.B
# Rules section, i only need https access to this machine.
block all
.
.
.
pass in on ext_if proto tcp from any to X.Y.Z.B port https
pass out in dmz_if proto tcp from any to 10.0.0.B port https
pass in on dmz_if proto tcp from 10.0.0.B port https to any
pass out on ext_if proto tcp from X.Y.Z.B port https to any
Well ... this does not work and i can't find a reason why.
What i noticed:
When logged on the OpenBSD box, a "telnet 10.0.0.B 443" works fine.
However, from the outside, i can't reach the port, as if the address was
not translated and the packet was routed to the openBSD box where no web
server runs.
The translation is done before the filtering, i.e. you have to match on
the translated destinations on the incoming traffic:
pass in on ext_if proto tcp from any to 10.0.0.B port https
(at least that what's going with regular nat/rdr, I'm not really
familiar with binat)
If you only want a couple of ports on the webservers to be reachable
from the internet, I don't see the point in using binat over regular
nat/rdr.
Cheers,
Martin
