On Jul 21, 2006, at 12:26 PM, Ashley Moran wrote:
Hi
We have a website on a server in our DMZ that hits a webservice
over SSL
identified by an external IP. However, the webservice is on the
same box.
PF won't route requests to the external IP that come in on the DMZ
interface
back out of the same interface, so we can't hit it.
I've tried making it hit the internal DMZ IP of the web server, but
then you
get trust errors because the certificate is not issued for 10.0.0.15.
Is there a way round this? I can't see anything in the PF FAQ. We
desperately need to get the webserver to hit itself over the
external IP.
Previously the DMZ was protected by IPCop - I've got no idea how it
worked
before.
I believe you're looking for "reflection". If you're using the IP
instead of the hostname, either TCP proxying or the "rdr / nat / no
nat" combination should work.
http://www.openbsd.org/faq/pf/rdr.html#reflect
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net
