[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

TCP Reflection: Summary



Good news and bad news.  Good news, I finally got tcp reflection working
(on 3.2) via the multiple nat/no nat/rdr rules.  Turns out I had the
$server confused with the ext_if address, rather than the webserver. 
Sounds stupid, but... well, I guess it is.  :-P
Bad news.  Defaulting back to a "normal" set of NAT rules (one for
"masquerading", one for port forwarding to the internal webserver), I'm
having difficulties with a typical DMZ setup.  This time, the client is
on the 192.168.2.0/24 network, trying to reach the webserver on
192.168.1.0/24 network, but being redirected through the external
interface (10.109.10.97).  Every time I send a connection, the firewall
sends an immediate reset.  No traffic on any of the other interfaces.
It does manage to work if I create a set of "reflection" rules for this
interface as well, but I thought that a DMZ didn't NEED this sort of
complex mangling.  The routing is fine;  I have no problems pinging the
webserver from the client... it's only when the packet attempts to hit
the external address for redirection that it gets reset.
Any ideas?
Thanks again,
Jason