[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openbsd-misc
Subject:    Re: rdr clarification
From:       Henning Brauer <henning () openbsd ! org>
Date:       2005-10-31 11:57:41
Message-ID: 20051031115741.GL19910 () nudo ! bsws ! de
[Download RAW message or body]

* Chris Smith <bsd782@chrissmith.org> [2005-10-30 15:50]:
> On Saturday 29 October 2005 03:34 pm, ed wrote:
> > > rdr pass on $ext_if proto tcp from <remote_admin> to $ext_ad3 port
> > > ldap  -> $server_1 port ldap
> > >
> > > ...where $server_1 is on the other side of $int_if, still needs a
> > > pass out rule on $int_if. The "rdr pass" does not extend through to
> > > the destination but only through the interface the rdr rule is
> > > applied to.
> >
> > I think this depends on your block rules. If you have a block rule
> > else where, it may not permit the return packets.
> 
> With "pass" added (rdr pass) filtering rules are supposed to be skipped, 
> so a later block shouldn't matter. Plus, since "rdr" rules keep state 
> the return trip should be guaranteed - the state table is examined and 
> filtering rules are skipped.

correct.
for that interface.
you might still be blocking on the other one.

> So it appears that the "pass" and the state keeping only apply to the 
> named interface and not through to the destination.

correct.

-- 
BS Web Services, http://www.bsws.de/
OpenBSD-based Webhosting, Mail Services, Managed Servers, ...
Unix is very simple, but it takes a genius to understand the simplicity.
(Dennis Ritchie)

[prev in list] [next in list] [prev in thread] [next in thread]