nat.conf - rdr port 80 to apache server in DMZ

[Steven Sluter <loverman_(_at_)_sidehack_(_dot_)_gweep_(_dot_)_net>]

Hello-

I have been wracking my brains trying to solve this problem for the last 3
days.  I am running a web\ftp\mail server in the dmz off a 3-legged
OpenBSD 3.1 firewall box, and everything except apache works:


[apache, ftp & qmail freebsd server10.10.10.5]
			|
			|
	[Openbsd 3.1 pf + nat box]---------------------------->internet
			|
			|
		[Internal network 192.168.x.x]



I am using dynamic dns.


The firewall is running nat and forwarding ports:

nat on tun0 from 192.168.0.1/24 to any -> tun0
nat on tun0 from 10.10.10.1/24 to any -> tun0
rdr on tun0 from any to tun0 port 25 -> 10.10.10.5 port 25
rdr on tun0 from any to tun0 port 80 -> 10.10.10.5 port 80
rdr on xl0 from any to any port 25 -> 10.10.10.5 port 25
rdr on xl0 from any to any port 21 -> 127.0.0.1 port 8081



I have no problems with mail or ftp, just http.  I cannot connect to the
apache server from the internet, only from the firewall box.

So I dont know if it is an apache misconfiguration or nat problem.  The
nat rules appear to be correct, but I cant actaully tell if the packets
are passing through.  I have the following lines in my pf.conf:


InServicesTCP = "{ ssh, ftp, smtp, http, https }"

pass in log quick on $Ext inet proto tcp from any to any port
$InServicesTCP flags S/SA keep state



My relevent (? I think) apache server settings:
ServerName 10.10.10.5:80
UseCanonicalName On



I've done quite a few searches through various mailing lists as well as
google searches for "apache behind nat", and have not found anything which
helped me.

Any tips would be greatly appreciated.


Thanks in advance--
Steve