Alberich de megres wrote:
I tried this you told me, and that not works, i get a syntax error
my pf.conf:
#supose 10.0.0.254 is external address..
ext_if="sis0"
ext_carp_if="carp1"
int_if="rl0"
int_carp_if="carp0"
nat on carp1 from 192.168.1.0/24 to any -> 10.0.0.254
rdr on sis0 inet proto tcp from any to 10.0.0.254 port 80 -> 192.168.1.69port 80
you are missing a space between '192.168.1.69' and 'port'
fixing that makes pfctl -n happy.
pass all
On 5/14/07, Joachim Schipper <[EMAIL PROTECTED]> wrote:
On Mon, May 14, 2007 at 06:12:12PM +0200, Alberich de megres wrote:
On 5/14/07, Joachim Schipper <[EMAIL PROTECTED]> wrote:
On Mon, May 14, 2007 at 12:41:18PM +0200, Alberich de megres wrote:
Hi again,
And sorry to insist on this.... I'm really lost.
I read in most webs-docs with rdr rule trafic get redirected to
internal servers and with this and pass rule is enought. But i
find myself in a different scenario, with rdr rule and pass rule
packets get redirected to internal server with the same external
ip.
With a tcpdump on internal server packets arrive to internal
server but this one don't ask it back.
If i add a nat rule from any to internal server, the server logs
show me access only from firewall ip address ( logically ). Is
there some way to redirect external traffic to internal server and
the internal server to see external address ( for logs control,
and access without firewall rule...only on server machine ) and
all works fine?
I don't really see what you mean: is there a server with public
address
1.2.3.4 behind a firewall with public address 1.2.3.1, and rules like
rdr pass on $ext_if to $server $port1 -> $port2
pass on $ext_if to $server port $port3
In that case, that should just work.
No,
There's a firewall with public address, and a server with internal
address.
firewall: 1.2.3.4
server: 192.168.1.1
In that case,
server = "192.168.1.1"
rdr pass on $ext_if to $ext_if $port1 -> $server
rdr pass on $ext_if to $ext_if $port2 -> $server $port3
should work just fine. What is your /etc/pf.conf? And what doesn't work?
(The underlying idea is that 'rdr pass' is very useful for simple cases,
and one should be careful with NAT.)
Joachim
--
TFMotD: vclean (9) - disassociate the underlying file system from a
vnode
