On 5/14/05, GV <[EMAIL PROTECTED]> wrote: > no, I don't need any port of that machine to be exposed to the Internet. Only > a certain range. > > I tried the following: > > ------ > nat on $ext_if from $int_if:network to any -> $ext_if > rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021 > rdr pass on $ext_if proto tcp from any to any port 8000 -> $cam1 port 80 > rdr pass on $int_if proto tcp from $cam1 to any -> $ext_if > ------
The last rule is the culprit. Traffic simply gets blocked by the ISP's router because cam1 haves an internal IP adress. The nat rule should take care of the traffic from cam1 (if it is on $int_if:network) If you want certain ports to be redirected to an internal machine: rdr on $ext_if from any to any port $ports_to_redirect -> $internal_machine does the job. > > I do get access to the internal ($cam1) port 80 but no response back from the > other ports this machine is using! Is like an one-way communication! > > If you say that I "will need to alias another ip to your obsd box and binat > traffic destined to that address" you mean a public IP address? > > Thanks > > On Sunday 15 May 2005 00:05, Abraham Al-Saleh wrote: > > Do you need every port on the mail server to be exposed to the internet? > > that's how I originally interpreted your question. If you only need mail > > server ports, then use the rdr statement, which you can again read about in > > the pf.conf man page. Otherwise, you will need to alias another ip to your > > obsd box and binat traffic destined to that address to your mail server. > > > > On 5/14/05, GV <[EMAIL PROTECTED]> wrote: > > > thanks for your prompt reply. > > > > > > I do agree with you but when reading the manual concerning binat it says: > > > > > > ---- > > > ..Connections from the Internet to the external address will be > > > translated to > > > the internal address.. > > > ---- > > > > > > which means that ANY connection from the Internet will be > > > translated/redirected to this specific server which actually discharges > > > my whole LAN? > > > > > > To be more specific, I first tried the following configuration: > > > > > > ---------- > > > binat on $ext_if from $cam1 to any -> $ext_if > > > nat on $ext_if from $int_if:network to any -> $ext_if > > > ---------- > > > > > > and couldn't ssh my server any more cause my connection was automatically > > > redirected to port 22 of the internal machine where no sshd was > > > running!!!!!!! > > > > > > I think that I misunderstood binat but couldn't find any detailed docs or > > > examples how to use it. If you have time to provide me some directions to > > > this? > > > > > > Thanks for your support > > > > > > George > > > > > > On Saturday 14 May 2005 23:46, Abraham Al-Saleh wrote: > > > > Use binat. > > > > > > > > From man (5) pf.conf: > > > > > > > > "binat > > > > A binat rule specifies a bidirectional mapping between an external > > > > IP netblock and an internal IP netblock." > > > > > > > > read the pf.conf manual page for more information. > > > > > > > > On 5/14/05, GV <[EMAIL PROTECTED]> wrote: > > > > > Hi, > > > > > > > > > > I have a situation where an internal (located in a LAN and behind a > > > > > OpenBSD > > > > > firewall/NAT) has to be fully exposed to the Internet! What's the > > > > > best way to > > > > > acieve that? > > > > > > > > > > Thanks > > > > > > > > > > George > > -- Fourth law of programming: Anything that can go wrong wi sendmail: segmentation violation - core dumped
