On Monday 21 January 2008 09:09:41 Stuart Henderson wrote:
> On 2008/01/20 16:48, Samuel Penn wrote:
> > However, I'm now trying to do the same with some other ports, without
> > any luck. I'm starting by trying to allow access to the web page for
> > an internal ejabberd installation (running on port 5280, on host
> > 192.168.11.3), however adding in a similar rule for port 5280 fails
> > to work for both external and internal connections, and though
> > tcpdump shows the redirect happening, the browser receives no response,
> > and the web server log shows that it hasn't received anything.
>
> You should currently be seeing the SYN packets reach cagliostro
> if you run tcpdump there, and ACK being sent *directly to fenris*.
> This won't work; the ACK (and other packets) must be sent to
> the firewall to be rewritten ("un-rdr'ed").
>
> http://www.openbsd.org/faq/pf/rdr.html#reflect has various
> ways around this.I think I've seen that FAQ, but obviously didn't get down far enough through it. I'll have a close look at that, and give things another try. Thanks for the help. The external side may be due to firewall rules on the external server I was testing on, though I'm pretty sure I'd accounted for them. If my rules are right, then it may be something I've overlooked there. > > -- > > Be seeing you, http://www.glendale.org.uk > > ^^^^ > :-) I am not a number... -- Be seeing you, http://www.glendale.org.uk Sam. Mail/IM (Jabber): [EMAIL PROTECTED]
