On Monday 21 January 2008 09:09:41 Stuart Henderson wrote: > On 2008/01/20 16:48, Samuel Penn wrote: > > However, I'm now trying to do the same with some other ports, without > > any luck. I'm starting by trying to allow access to the web page for > > an internal ejabberd installation (running on port 5280, on host > > 192.168.11.3), however adding in a similar rule for port 5280 fails > > to work for both external and internal connections, and though > > tcpdump shows the redirect happening, the browser receives no response, > > and the web server log shows that it hasn't received anything. > > You should currently be seeing the SYN packets reach cagliostro > if you run tcpdump there, and ACK being sent *directly to fenris*. > This won't work; the ACK (and other packets) must be sent to > the firewall to be rewritten ("un-rdr'ed"). > > http://www.openbsd.org/faq/pf/rdr.html#reflect has various > ways around this.
I think I've seen that FAQ, but obviously didn't get down far enough through it. I'll have a close look at that, and give things another try. Thanks for the help. The external side may be due to firewall rules on the external server I was testing on, though I'm pretty sure I'd accounted for them. If my rules are right, then it may be something I've overlooked there. > > -- > > Be seeing you, http://www.glendale.org.uk > > ^^^^ > :-) I am not a number... -- Be seeing you, http://www.glendale.org.uk Sam. Mail/IM (Jabber): [EMAIL PROTECTED]