[Tfug] Syntax errors on new nat.conf

johngalt tfug@tfug.org
Fri Jul 5 22:32:02 2002 

WTF? Did Chris reply ten days after Steven wrote his post?

Or is Steven's clock foobar?

People, please set your clock to the correct date at least....

ntpdate, | date, | whatever

and then setclock, | /sbin/clock --systohc whatever



Chris wrote:
> 
> On Tue, 25 Jun 2002 22:43:12 -0700
> "Steven Bowers" <steveb7@bblabs.net> wrote:
> 
> > I'm trying to resolve some syntax errors and need some help. The
> > nat.conf from OBSD 3.1 is shown below. The errors are occuring on
> > lines 8, 12 and 17 which correspond to my rdr statements. I'm going to
> > run a mail and web server on fxp2/192.168.2.2 and will need access to
> > it from fxp1/192.168.1.0/24 which is the local lan. My ext interface
> > is fxp0.
> >
> > Steve
> >
> > ########################################################
> > # nat.conf
> > nat on fxp0 from 192.168.1.0/24 to any -> 24.221.35.101
> > nat on fxp0 from 192.168.2.0/24 to any -> 24.221.35.101
> >
> > ########################################################
> > # Internet (fxp0)
> > rdr on fxp0 proto { tcp, udp } from any to 24.221.35.101 port { 25,
> > 80, 110, 443
> >  } -> 192.168.2.2 port { 25, 80, 110, 443 }
> >
> > #######################################################
> > # private network (fxp1)
> > rdr on fxp1 proto { tcp, udp } from 192.168.1.0/24 to 24.221.35.101
> > port { 25, 8 0, 110, 443 } -> 192.168.2.2 port { 25, 80, 110, 443 }
> > rdr on fxp1 proto tcp from any to any port 21 -> 127.0.0.1 port 8081
> >
> > #######################################################
> > # DMZ network (fxp2)
> > rdr on fxp2 proto { tcp, udp } from 192.168.2.2 to 24.221.35.101 port
> > { 25, 80, 110, 443 } -> 192.168.2.2 port { 25, 80, 110, 443 }
> 
> Steven-
> 
> IIRC, nat/rdr rules create state for each connection.  Tcp and udp
> establish different states when they connect.  Plus port mapping is one
> to one.  pf doesn't know what you want port 25 from the first set mapped
> to, the second set has 4 choices.  You will have to define an rdr for
> each protocol/port you want to redirect.  Ditch the sets and it should
> start working.  You also have a space between the 8 and the 0 in the
> first port set in your second rdr rule.
> 
> -C-
> _______________________________________________
> tfug mailing list
> tfug@tfug.org
> http://www.tfug.org/mailman/listinfo/tfug