On Tue, Jul 01, 2003 at 10:31:33PM +0200, Manuel Bouyer wrote:
> On Mon, Jun 30, 2003 at 01:45:09PM -0700, Aaron J. Grier wrote:
> > I've tried adding the following, but it doesn't seem to work:
> > 
> > rdr le0 10.0.0.0/8 port 80 -> 10.0.0.6 port 80 tcp
> 
> No, this can't work, because the reply from 10.0.0.6 to the client
> doesn't get though the router, and so the reply isn't translated.  The
> client connected to publicip:80, and it gets replies from 10.0.0.6:80.

that's what my tcpdump showed...

> What I would do, in your case, is split 10.0.0.0/8 in 2 10.0.0.0/16.
> Put your server on one, the clients on the others, and an alias on the
> le0 interface so that the router is in both. Now all traffic between
> the client and server will go though the router.

this assumes that the clients are separate from the server, which I
cannot guarantee with my current configuration.  Ideally connecting from
10.0.0.6 to publicIP:80 should be proxied back to 10.0.0.6:80.

it is starting to sound like the simplest solution would be to run split
internal/external DNS, or use bind9's views.

-- 
  Aaron J. Grier | "Not your ordinary poofy goof." | agrier@poofygoof.com
  "Isn't an OS that openly and proudly admits to come directly from Holy
   UNIX better than a cheap UNIX copycat that needs to be sued in court
   to determine what the hell it really is?"  --  Michael Sokolov