Two possible issues: (1) pf will not redirect to another machine on the same interface. Therefore, in your case, any 192.168.11/24 box attempting to connect to the public IP address of the mail server will NOT get redirected back to the private IP address of the mail server because the source and destination are on the same interface.
(2) Looking at your pf.conf rules, you might want to change your original rdr on $ext_if proto tcp from any to $ext_if port 25 -> $www_mail to rdr on $ext_if proto tcp from any to ($ext_if) port 25 -> $www_mail (note the added parentheses). pf internally translates "($ext_if)" to the IP address of $ext_if, so the above change should at least let packets coming through the external interface to get redirected to the private IP of the mail server on the internal interface. Hope this helps, --jim > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > Elijah Savage > Sent: Wednesday, November 30, 2005 10:32 AM > To: [email protected] > Subject: PF will not redirect to internal boxes > > I am trying to redirect web and mail service to a internal server on the > local lan this is my entire pf.conf below and I just can't figure out > for the life of me why this does not work. I did a fresh install from > 3.6 to 3.8 on a sparc 20 and I am starting to believe something did not > go right with the install though it went on cleanly. I would appreciate > greatly someone giving me a sanity check. My internal clients can get > out through the firewall to the net. I have took out all the fancy altq > stuff I had in 3.6 and dumbed it down as much as possible to what you > see below. > > #Macros > ext_if="le1" > prv_if="le0" > web_ports = "{ http, https }" > prv_hosts = "{192.168.11.0/24}" > www_mail = "192.168.11.250" > > #Options > > #Normalize Packets > scrub in all > scrub out all > > #Translate packets > nat on $ext_if from $prv_if:network to any -> ($ext_if) > > #Redirect for Internal Server > rdr on $ext_if proto tcp from any to $ext_if port 25 -> $www_mail > rdr on $ext_if proto tcp from any to $ext_if port $web_ports -> $www_mail > > #Filter Packets, Block all packets coming in from the outside and log them > block in log all > #Pass all connections originating from the firewall > pass out quick on $ext_if from ($ext_if) to any flags S/SA modulate state > #Pass all connections originating from the screened lan > pass in quick on $prv_if from $prv_hosts to any flags S/SA keep state > #pass traffic from the net to internal host > pass in on $ext_if proto tcp from any to $www_mail port 25 flags S/SA > synproxy state > pass in on $ext_if proto tcp from any to $www_mail port $web_ports flags > S/SA synproxy state
