On 2008/01/20 16:48, Samuel Penn wrote:
>
> However, I'm now trying to do the same with some other ports, without
> any luck. I'm starting by trying to allow access to the web page for
> an internal ejabberd installation (running on port 5280, on host
> 192.168.11.3), however adding in a similar rule for port 5280 fails
> to work for both external and internal connections, and though
> tcpdump shows the redirect happening, the browser receives no response,
> and the web server log shows that it hasn't received anything.
You should currently be seeing the SYN packets reach cagliostro
if you run tcpdump there, and ACK being sent *directly to fenris*.
This won't work; the ACK (and other packets) must be sent to
the firewall to be rewritten ("un-rdr'ed").
http://www.openbsd.org/faq/pf/rdr.html#reflect has various
ways around this. If I can't use split-horizon DNS or place at
least one address on the server in a separate network/vlan
[N.B. this can be done without vlan support on the switch],
I usually choose the rdr/nat combination (which the FAQ
gives as an option but tries to talk people out of) rather
than a userland proxy.
None of this explains the _external_ connections not working
though, and I don't see a reason for that from the ruleset
you showed. tcpdump might help there.
> --
> Be seeing you, http://www.glendale.org.uk
^^^^
:-)
