Trave Harmon wrote:
Mine is on but it still doesn't work.
Is there a way to verifiy at the command prompt level if it is working?
-----Original Message-----
From: Dimitri Rodis [mailto:[EMAIL PROTECTED]
Sent: Wednesday, February 06, 2008 8:10 PM
Maybe I'm off the mark by saying this, but I think NAT reflection should
be ON by default-- can't think of any security risks associated with it
really, since the machine you are trying to hit is presumably already
behind the same NAT as you are..
That would solve any future issues, anyway..
Wait a minute, historically the BSD stack (or at least the FreeBSD
implementation) has always been unable to do NAT on a single interface.
To be more clear, it's not possible to rewrite a packet and have it
leave the stack back on the same interface from which it came on first hand.
Please read http://www.openbsd.org/faq/pf/rdr.html#reflect (see:
Redirection and Reflection )
So, reflection rules work great if the LAN hosts need to access the
NAT-ed hosts on a DMZ, but not on single internal lan (or, in my
example, for reciprocal access by the DMZ hosts).
In your case the solution is 'Split-Horizon DNS'. Put the addresses of
all the MX servers in a single dns zone, and configure the servers
themselves to receive resolution for that zone from an internal DNS
which will hand out internal IPs.
Angelo Turetta
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
