This was a good advice Stuart ! Thanks !
I used a pair of nat and rdr rule to replace my binat rule and it works
as expected !
thanks again guys.
Stuart Henderson a icrit :
On 2008-09-30, Comhte <[EMAIL PROTECTED]> wrote:
I use ftp-proxy to allow ftp client connexions from my LAN and it works
well. On my DMZ, i have multiple servers (web,dns,smtp,etc...) and they
have all one different public IP. So, i use binat rules to nat them
easily and it works fine too.
But i need to allow these servers on DMZ to make FTP client connexions
to external servers too. So I have put a rdr rule like the one i did for
my lan to make my DMZ servers use the ftp-proxy daemon. But this doesn't
work, i can only connect to external FTP servers from my DMZ servers if
disable the binat rule associated with the server which try to connect.
My question is, is there a mean to do what i want to do ? :)
pf.conf(5)
Evaluation order of the translation rules is dependent on the type of the
translation rules and of the direction of a packet. binat rules are al-
ways evaluated first. Then either the rdr rules are evaluated on an in-
bound packet or the nat rules on an outbound packet. Rules of the same
type are evaluated in the same order in which they appear in the ruleset.
The first matching rule decides what action is taken.
So you need to disable the binat rule and use a pair of nat and
rdr instead.
