On Mon, Sep 08, 2008 at 06:45:16PM +0200, [EMAIL PROTECTED] wrote: > > > > > The "reflection" method is indeed what you want. You're only binat'g > > if the traffic makes it outbound. The idea with reflection is to > > intercept the packets destined for the "external hostname" and redirect > > them on the internal interface to the intended server. So you would > > have a binat rule for traffic out to the internet, and rdr/no-nat/nat > > rules for traffic to your own servers. > > > > > > thanks jason > i'm happy the mail arrive to the list, even so late ;) > (i think it was lost) > > i do that and it seems to work > rdr on $if_int proto tcp from $int_net to publicIP port 80 -> \ privateIP > > nat on $if_int inet from privateIP2 to any -> publicIP2
You're missing the no-nat rule. This shouldn't break the "reflection" traffic but might cause adverse effects for other connections originating from your firewall. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
