mouss wrote:
[snip]
> >What I like to see is whether we can combine FW2 and NAT:
> >
> >1. C -> FW2-E
> >2. FW2 doing rdr *and map*: C -> FW2-E becomes FW2-I -> W
> >3. W -> FW2-I
> >4. FW2 rewrite back: W -> FW2-I becomes FW2-E -> C
> >
> >Note that step 2 above is not bimap. I think Darren introduced new
> >syntax in 3.4.x to allow:
> >
> >rdr ifX from ip1/m1 to ip2/m2 port = xx -> ip3 port xx
> >
> >If it can be writen as:
> >
> >rdr ifX from ip1/m1 to ip2/m2 port = xx -> from ip3/m3 to ip4/m4 port xx
>
> Use 2 different rules: a map and an rdr.
> - an rdr on the external interface to redirect traffic to the server
> - a map on the internal interface to convert clients addresses.
Hmm, I didn't even think of that. All in my mind was ipnat rules are
"first match" as oppose to "last match" in ipf rules. So I was thinking
once an ipnat rules match the packet, that's it and no more rules will
be applied to the packet...
I did some experiment immediately on my OpenBSD 2.8 box, and it worked
as expected!!! So I'd assume the nat rules will be applied to the packet
whenever it passes through an interface - once when it passes the
external, once when it passes internal, right?
Anyway, it worked! I owe you a million thanks, mouss :-)
Dennis
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
