Re: pf problems

[Paul Arola <spawn@maltliquor.ca>]

Hey,

	I've had this problem before, like you mentioned it is the nat messing this up. The best solution would be to use a split dns setup or use reflection (http://www.openbsd.org/faq/pf/rdr.html#reflect). 

-Paul

On Fri, 17 Oct 2003 14:40:56 -0700
"obsd" <openbsd@ilabmail.com> wrote:

> I am using OpenBSD 3.3 as a company firewall.  I have looked for an answer
> but have not found it.  I am sure it is simple and I am overlooking it.
> 
> Our webservers are behind the firewall, and several different rdr and nat
> rules work fine, from the outside.  From inside the 192.168.x.x. network, I
> cannot resolve the FQDN, I have to use the 192.168.x.x address to get to the
> server.
> 
> Some new applications have been built that need to use the domain name, and
> from the outside they work, but from behind the firewall, they don't
> resolve.  I understand that the requests from inside are most likely being
> denied by the firewall since it does not know what to do woth them, but I do
> not know the solution.  I have tried binat rules in the pf.conf in
> accordance with the pf faq, as it sounds like the answer:
> 
> web_serv_int = "192.168.1.30"
> web_serv_int = "public ip"
> 
> binat on em0 from $web_serv_int to any -> $web_serv_int
> 
> but I continue to get the same error, ie. the connection at work is refused
> by the webserver.  My thinking is because the internal nic has no idea what
> to do with these requests, since nat is done from the ext interface.
> 
> I am willing to learn from my mistakes if someone can just point me in the
> right direction.
> 
> brian