On Mon, Jun 30, 2003 at 01:55:24PM -0700, collver1@comcast.net wrote:

> How about trying the following?
> 
> rdr le0 publicIP/32 port 80 -> 10.0.0.6 port 80 tcp

good guess, but not quite...

the redirect is working, but it needs to be proxied somehow.  this is
how I interpret the above tcpdump:

11:44:39.867451 10.0.0.7.65523 > publicIP.80: S 26923372:26923372(0) win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 0 0>

connect from internal client to external IP port 80

11:44:39.868393 10.0.0.7.65523 > 10.0.0.6.80: S 26923372:26923372(0) win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 0 0>

it gets redirected to internal server.  this packet is generated from
the NAT box, I think.

11:44:39.870249 10.0.0.6.80 > 10.0.0.7.65523: S 1175573609:1175573609(0) ack 26923373 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 25692090 0>

internal server sees the redirected packet and attempts to reply.

11:44:39.870889 10.0.0.7.65523 > 10.0.0.6.80: R 26923373:26923373(0) win 0

internal client isn't expecting a response directly from the internal
server and so sends a reset.

it's as if the inside->in redirects need to be proxied through NAT as
well.  there's got to be a way to do it besides split DNS.

-- 
  Aaron J. Grier | "Not your ordinary poofy goof." | agrier@poofygoof.com
  "Isn't an OS that openly and proudly admits to come directly from Holy
   UNIX better than a cheap UNIX copycat that needs to be sued in court
   to determine what the hell it really is?"  --  Michael Sokolov