Re: Very limited port redirection setup with pf not working

From: Stefan Roth (dev_at_null.nix)
Date: 11/24/05

  • Next message: sealinux_at_gmail.com: "Three-legged firewall woes" 
    Date: Thu, 24 Nov 2005 11:07:28 +0100

    > I believed that I set a route to allow one machine to reach another.
    > The point at hand is, my webserver can already reach the OpenBSD box.

    yes, as your webserver and the obsd box are in the same subnet, thats fine.

    > Unlike the OpenBSD box, the webserver operates with a 16 bit netmask
    > for the 10.4. network that itself is in, so it can reach (ping etc) the
    > OpenBSD box at 10.4.12.142 with no problems. So, if the packets coming
    > port-redirected from the OpenBSD box would look right, the web server
    > should already send a reply back to the OpenBSD box as far as I can
    > see?

    no. let me explain.
    the client sends a http request to the obsd box. rdr of obsd replaces the
    destination ip of those packets with the ip of your internal webserver,
    thats ok.
    but, rdr will NOT touch the source ip adress.
    thus, your webserver will have to send a reply targeted to your external
    client. the webserver cant do that, as he would have to adress a subnet
    which he doesnt have a route for.

    so, log on to your webserver and try a default route directed at the
    internal interface of your obsd box.
    route add default 10.4.11.x
    x i dont know, i couldnt find the full ip adress of your obsd box inside the
    10.4.11 subnet in your original posting.
    if your webserver is windows, the command could be different depending on
    version. i have seen this:
    route add 0.0.0.0 mask 0.0.0.0 10.4.11.x

    stefan

  • Next message: sealinux_at_gmail.com: "Three-legged firewall woes"

    Relevant Pages