[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

TCP Reflection: Summary

Good news and bad news.  Good news, I finally got tcp reflection working
(on 3.2) via the multiple nat/no nat/rdr rules.  Turns out I had the
$server confused with the ext_if address, rather than the webserver. 
Sounds stupid, but... well, I guess it is.  :-P
Bad news.  Defaulting back to a "normal" set of NAT rules (one for
"masquerading", one for port forwarding to the internal webserver), I'm
having difficulties with a typical DMZ setup.  This time, the client is
on the network, trying to reach the webserver on network, but being redirected through the external
interface (  Every time I send a connection, the firewall
sends an immediate reset.  No traffic on any of the other interfaces.
It does manage to work if I create a set of "reflection" rules for this
interface as well, but I thought that a DMZ didn't NEED this sort of
complex mangling.  The routing is fine;  I have no problems pinging the
webserver from the client... it's only when the packet attempts to hit
the external address for redirection that it gets reset.
Any ideas?
Thanks again,