YES! That was the problem! Thanks a lot! George
On Sunday 15 May 2005 01:02, Arnaud Bergeron wrote: > On 5/14/05, GV <[EMAIL PROTECTED]> wrote: > > no, I don't need any port of that machine to be exposed to the Internet. > > Only a certain range. > > > > I tried the following: > > > > ------ > > nat on $ext_if from $int_if:network to any -> $ext_if > > rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021 > > rdr pass on $ext_if proto tcp from any to any port 8000 -> $cam1 port 80 > > rdr pass on $int_if proto tcp from $cam1 to any -> $ext_if > > ------ > > The last rule is the culprit. Traffic simply gets blocked by the > ISP's router because cam1 haves an internal IP adress. The nat rule > should take care of the traffic from cam1 (if it is on > $int_if:network) > > If you want certain ports to be redirected to an internal machine: > > rdr on $ext_if from any to any port $ports_to_redirect -> $internal_machine > > does the job. > > > I do get access to the internal ($cam1) port 80 but no response back from > > the other ports this machine is using! Is like an one-way communication! > > > > If you say that I "will need to alias another ip to your obsd box and > > binat traffic destined to that address" you mean a public IP address? > > > > Thanks > > > > On Sunday 15 May 2005 00:05, Abraham Al-Saleh wrote: > > > Do you need every port on the mail server to be exposed to the > > > internet? that's how I originally interpreted your question. If you > > > only need mail server ports, then use the rdr statement, which you can > > > again read about in the pf.conf man page. Otherwise, you will need to > > > alias another ip to your obsd box and binat traffic destined to that > > > address to your mail server. > > > > > > On 5/14/05, GV <[EMAIL PROTECTED]> wrote: > > > > thanks for your prompt reply. > > > > > > > > I do agree with you but when reading the manual concerning binat it > > > > says: > > > > > > > > ---- > > > > ..Connections from the Internet to the external address will be > > > > translated to > > > > the internal address.. > > > > ---- > > > > > > > > which means that ANY connection from the Internet will be > > > > translated/redirected to this specific server which actually > > > > discharges my whole LAN? > > > > > > > > To be more specific, I first tried the following configuration: > > > > > > > > ---------- > > > > binat on $ext_if from $cam1 to any -> $ext_if > > > > nat on $ext_if from $int_if:network to any -> $ext_if > > > > ---------- > > > > > > > > and couldn't ssh my server any more cause my connection was > > > > automatically redirected to port 22 of the internal machine where no > > > > sshd was running!!!!!!! > > > > > > > > I think that I misunderstood binat but couldn't find any detailed > > > > docs or examples how to use it. If you have time to provide me some > > > > directions to this? > > > > > > > > Thanks for your support > > > > > > > > George > > > > > > > > On Saturday 14 May 2005 23:46, Abraham Al-Saleh wrote: > > > > > Use binat. > > > > > > > > > > From man (5) pf.conf: > > > > > > > > > > "binat > > > > > A binat rule specifies a bidirectional mapping between an external > > > > > IP netblock and an internal IP netblock." > > > > > > > > > > read the pf.conf manual page for more information. > > > > > > > > > > On 5/14/05, GV <[EMAIL PROTECTED]> wrote: > > > > > > Hi, > > > > > > > > > > > > I have a situation where an internal (located in a LAN and behind > > > > > > a OpenBSD > > > > > > firewall/NAT) has to be fully exposed to the Internet! What's the > > > > > > best way to > > > > > > acieve that? > > > > > > > > > > > > Thanks > > > > > > > > > > > > George
