On Fri, Sep 05, 2008 at 06:55:38PM +0200, [EMAIL PROTECTED] wrote: > > hi everybody, > my work now is to change a linux firewall with iptables to freebsd/pf/carp > (they choose freebsd i can't say anything to change that execpt > if in a new version of pf on openbsd i can resolve the problem below) > > i migrate 6500 lines of iptables with no problem in ten day > there is 400 servers to filter and maybe more in the new datacenter > (1400/1700) > > the firewall do nat ! > > they have something like this: > iptables -t nat -I PREROUTING -d <pub ip> -j DNAT --to <priv ip> > > the idea behind is that two server on the same lan > behind the firewall could be seen each other like they are on internet in > different place, they use webservices and they already deal with that. > > the first contact the second not on the lan but through the firewall with > public > address. > the firewall must be in production next week, > they just told me this new thing they want this morning > (and it was not in the first part i migrate) > and i finish the last three hours i must do on this project. > if i didn't win ;) they stay with iptables. > > i try some idea http://www.openbsd.org/faq/pf/rdr.html > but most of what i do for the server is binat > and not rdr. > i can't deal with netcat for such a project , pftpx is already a bit dirty for > them instead of conntrack > thank you for your help
The "reflection" method is indeed what you want. You're only binat'g if the traffic makes it outbound. The idea with reflection is to intercept the packets destined for the "external hostname" and redirect them on the internal interface to the intended server. So you would have a binat rule for traffic out to the internet, and rdr/no-nat/nat rules for traffic to your own servers. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
