Hi, Yeah man, that worked!!!!
Thanks for all and you patience.. Thanks again. On 5/14/07, Joachim Schipper <[EMAIL PROTECTED]> wrote: > > On Mon, May 14, 2007 at 07:25:34PM +0200, Alberich de megres wrote: > > On 5/14/07, Joachim Schipper <[EMAIL PROTECTED]> wrote: > > > > > > On Mon, May 14, 2007 at 06:12:12PM +0200, Alberich de megres wrote: > > > > On 5/14/07, Joachim Schipper <[EMAIL PROTECTED]> wrote: > > > > > > > > > > On Mon, May 14, 2007 at 12:41:18PM +0200, Alberich de megres > wrote: > > > > > > Hi again, > > > > > > > > > > > > And sorry to insist on this.... I'm really lost. > > > > > > > > > > > > I read in most webs-docs with rdr rule trafic get redirected to > > > > > > internal servers and with this and pass rule is enought. But i > > > > > > find myself in a different scenario, with rdr rule and pass rule > > > > > > packets get redirected to internal server with the same external > > > > > > ip. > > > > > > > > > > > > With a tcpdump on internal server packets arrive to internal > > > > > > server but this one don't ask it back. > > > > > > > > > > > > If i add a nat rule from any to internal server, the server logs > > > > > > show me access only from firewall ip address ( logically ). Is > > > > > > there some way to redirect external traffic to internal server > and > > > > > > the internal server to see external address ( for logs control, > > > > > > and access without firewall rule...only on server machine ) and > > > > > > all works fine? > > > > > > > > > > I don't really see what you mean: is there a server with public > > > address > > > > > 1.2.3.4 behind a firewall with public address 1.2.3.1, and rules > like > > > > > > > > > > rdr pass on $ext_if to $server $port1 -> $port2 > > > > > pass on $ext_if to $server port $port3 > > > > > > > > > > In that case, that should just work. > > > > > > > No, > > > > > > > > There's a firewall with public address, and a server with internal > > > address. > > > > > > > > firewall: 1.2.3.4 > > > > server: 192.168.1.1 > > > > > > In that case, > > > > > > server = "192.168.1.1" > > > > > > rdr pass on $ext_if to $ext_if $port1 -> $server > > > rdr pass on $ext_if to $ext_if $port2 -> $server $port3 > > > > > > should work just fine. What is your /etc/pf.conf? And what doesn't > work? > > > > > > (The underlying idea is that 'rdr pass' is very useful for simple > cases, > > > and one should be careful with NAT.) > > > > I tried this you told me, and that not works, i get a syntax error > > > > my pf.conf: > > > > #supose 10.0.0.254 is external address.. > > ext_if="sis0" > > ext_carp_if="carp1" > > int_if="rl0" > > int_carp_if="carp0" > > > > nat on carp1 from 192.168.1.0/24 to any -> 10.0.0.254 > > rdr on sis0 inet proto tcp from any to 10.0.0.254 port 80 -> > 192.168.1.69port 80 > > > > pass all > > Why are you messing with CARP before the whole thing works at all? CARP > is wonderful and not that difficult to set up, but there are a couple of > gotchas in combining CARP and pf that are best dealt with once you know > pf.conf works. At least the first time. > > Also, actually using the $ext_if macro might be more useful than just > defining it; there is no magic there, it's just a common macro to > define. 'pass all' is the default; no need to define it. Your handling > of IPv6 makes little sense (why allow IPv4 to $server port 80, but > handle IPv6 on the firewall? Either 'block drop inet6' or do without > 'inet'). Finally, symbolic names are more readable: use 'http' instead > of '80'. > > That said, > > ext_if=sis0 > int_if=rl0 > server=192.168.1.69 > > nat on $ext_if from $int_if:network -> $ext_if > rdr on $ext_if inet proto tcp to $ext_if port http -> $server > > should work for the no-CARP scenario. With CARP, that should become > something like the below (not tested): > > ext_if_base=sis0 > ext_if_carp=carp1 > int_if_base=rl0 > int_if_carp=carp0 > server=192.168.1.69 > > nat on $ext_if_base from $int_if_carp:network -> ($ext_if_carp) > rdr on $ext_if_base proto tcp to $ext_if_carp port http -> $server > > Joachim > > -- > TFMotD: trek (6) - trekkie game
