Jose H. wrote:
Thanks, one more question, What is the difference between:
rdr on $ext_if proto tcp from any to $pubip -> $privip
and
binat on $ext_if from $privip to any -> $pubip
Do I need both ?
Thanks.
http://www.openbsd.org/faq/pf/nat.html#binat
tcp and udp ports are never modified with binat.
rdr and nat are considered directional, rdr for incoming connections,
nat for outgoing. That said, either will work for you and you don't
need both. binat is handy if you have a bunch of public ip addresses
and you want to distinctly map each public address to an internal
address with no port mangling.
On 6/23/07, Ryan McBride <[EMAIL PROTECTED]> wrote:
On Sat, Jun 23, 2007 at 09:50:36PM -0600, Jose H. wrote:
> Can anybody tell me what is wrong with this rules ?
Is it source port or destination port? You're missing 'from any' or 'to
any' at least, and for a good security policy you should explicitly
specify source and/or destination IP addresses whenever possible.
Also, if this is 4.1 you don't need 'keep state' and 'flags S/SA',
they're on by default.
> pass on $ext_if inet proto tcp port $servicios_baseline_tcp flags S/SA
> keep state
> pass on $ext_if inet proto udp port $servicios_baseline_udp
> keep state
> pass on $ext_if inet proto icmp icmptype $servicios_baseline_icmp
> keep state
Aaron
