From owner-freebsd-pf@FreeBSD.ORG Sat Sep 6 13:35:41 2008 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0395A106564A for ; Sat, 6 Sep 2008 13:35:41 +0000 (UTC) (envelope-from secucatcher@free.fr) Received: from wmproxy1-g27.free.fr (wmproxy1-g27.free.fr [212.27.42.91]) by mx1.freebsd.org (Postfix) with ESMTP id C8EA18FC1A for ; Sat, 6 Sep 2008 13:35:40 +0000 (UTC) (envelope-from secucatcher@free.fr) Received: from imp12-g21.priv.proxad.net (imp12-g21.priv.proxad.net [172.20.243.60]) by wmproxy1-g27.free.fr (Postfix) with ESMTP id C13362B178 for ; Sat, 6 Sep 2008 15:41:16 +0200 (CEST) Received: by imp12-g21.priv.proxad.net (Postfix, from userid 33) id E53021DE2; Sat, 6 Sep 2008 15:10:18 +0200 (CEST) Received: from ([88.186.56.129]) by imp.free.fr (IMP) with HTTP for ; Sat, 06 Sep 2008 15:10:18 +0200 Message-ID: <1220706618.48c2813ab9cc6@imp.free.fr> Date: Sat, 06 Sep 2008 15:10:18 +0200 From: secucatcher@free.fr To: freebsd-pf@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit User-Agent: Internet Messaging Program (IMP) 3.2.8 X-Originating-IP: Cc: Subject: (no subject) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 06 Sep 2008 13:35:41 -0000 hi everybody, my work now is to change a linux firewall with iptables to freebsd/pf/carp i migrate 6500 lines of iptables with no problem in ten day there is 400 servers to filter and maybe more in the new datacenter (1400/1700) the firewall do nat ! they have something like this: iptables -t nat -I PREROUTING -d -j DNAT --to the idea behind is that two server on the same lan behind the firewall could be seen each other like they are on internet in different place, they use webservices and they already deal with that. the first contact the second not on the lan but through the firewall with public address. the firewall must be in production next week, they just told me this new thing they want this morning (and it was not in the first part i migrate) and i finish the last three hours i must do on this project. if i didn't win ;) they stay with iptables. i try some idea http://www.openbsd.org/faq/pf/rdr.html but most of what i do for the server is binat and not rdr. i can't deal with netcat for such a project , pftpx is already a bit dirty for them instead of conntrack thank you for your help