[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: binat with exceptions

On Sun, Nov 24, 2002 at 10:05:58PM +0100, c0g wrote:
> I want to do full binat for internal_server like this:
> binat on $EIF from $INTERNAL_SERVER to any -> $EXTERNAL_ADDRESS
> But I also want admin_box has access to some services of Openbsd box
> (ssh, icmp ping), the rest have to be binated.
> How to accomplish that?
Translation rules (nat, rdr, binat) are first-match, the first matching
translation rule for a connection is applied.
So, you can either use a 'no rdr ...' rule to prevent translation of
connections to specific ports (binat rules can't specify ports, but a
'no rdr' rule will have the same effect, applying no translation to an
incoming connection), or use 'rdr ...' to redirect incoming connections
to certain ports to the identical ports.
For outgoing connections, 'no nat' and 'nat' would work to prevent a
binat rule from matching. Exceptions first, then the generic binat rule.