On Mon, Sep 02, 2002 at 03:12:35PM +0200, Clemens Dumat wrote: > Your version would also allow packets directed to 192.168.0.100:80 (which were > NOT translated by the rdr-rule on de0) through the firewall. These packets > shouldn't be allowed, IMHO. These packets shouldn't arrive there, for sure, but > i think, it would be safer this way. For example, with a scanner directly > attached to the outer interface de0 it would be possible to find out about > private IPs used in the DMZ (and that should not be possible, IMHO).
I remember I had this discussion before, and there's two pretty simple approaches: add one more rdr on the external interface that redirects all incoming connections which have a local destination address to some special local address (127.6.6.6 or whatever) and then block this destination address with filter rules. Or use two machines, an outer one filtering the not-yet-translated packets and an inner one doing the redirection. rdr applying to outgoing connections has some ugly implications, apart from just adding more complexity and bloat. I see what you mean, but I don't think this is worth it. The new rdr semantics, I mean, not route-reply-to itself. Daniel
