Glad it's working; however, depending on your security level needs there are some variants on the configuration you may wish to consider.
"rdr pass" is an unrestricted pass or opening. An improvement to it follows. #---EG1--- rdr log (all) on $external proto tcp from any to $external port 80 \ -> 192.168.200.122 port 80 ... pass in quick log on $external inet proto tcp \ from any to 192.168.200.122 port 80 tag _PASSED_ \ flags S/FSRA synproxy state ... pass out quick log on $dmz inet proto tcp \ tagged _PASSED_ \ keep state #---EG1--- The flags allows only clean, well formed tcp hand shake through. The synproxy further helps shield your webserver from probing and assaults. The PASS OUT $DMZ is better then your rdr pass. This also means the WEB server can only reply to a _PASSED_ request (usually a good thing); it cannot initiate a session to the internet. A further security enhancement follows. #---EG2--- table <Hackers> persist ... rdr log (all) on $external proto tcp from !<Hackers> to $external port 80 \ -> 192.168.200.122 port 80 ... block in on $external from <Hackers> to $external port 80 pass in quick log on $external inet proto tcp \ from any to 192.168.200.122 port 80 \ flags S/FSRA synproxy state \ (max-src-conn-rate 10/30, overload <Hackers> flush) ... pass out quick log on $dmz inet proto tcp \ tagged _PASSED_ \ keep state #---EG2--- Where "10/30" is specific to your site's environment. IN THIS EXAMPLE, it means any source ip bashing away at your port 80 exceeding 10 tries in 30 seconds is auto-magically added to the <Hackers> table. The <Hackers> table is then used to BLOCK the 11th and subsequent tries. The "10/30" values are YOURS to pick Also the block/pass pair can be re-written into one pass stmt as follows. #---EG3--- pass in quick log on $external inet proto tcp \ from !<Hackers> to 192.168.200.122 port 80 \ flags S/FSRA synproxy state \ (max-src-conn-rate 10/30, overload <Hackers> flush) #---EG3--- I used the block/pass pair for better clarity AND if your trying to get this working the first time, the pair is easier to debug and understand the affect when looking at tcpdumps and others. Let the debates begin. Good luck, /Scott Charles Farinella wrote: > > Charles Farinella wrote: > ========================= > # Network interfaces > external = "dc0" > internal = "dc1" > dmz = "dc2" > > # Address ranges > int_add = "192.168.100.0/24" > dmz_add = "192.168.200.0/24" > ext_add = "X.X.X.25" > > rdr pass log (all) on $external proto tcp from any to $external port 80 > -> 192.168.200.122 port 80 > rdr pass log (all) on $internal proto tcp from any to $external port 80 > -> 192.168.200.122 port 80 > ========================== > > I actually had it working and didn't realize it as I was accessing the > server via dc1 and only had the dc0 rule set. Martin Toft tipped me off > when he pointed that out to me, and indeed checking from a machine > outside of our network confirmed that. Creating the internal redirect > has solved my problem. > > Thanks again. > > --charlie > > > -- > ------------------------------------------------------------------------ > Charles Farinella > Appropriate Solutions, Inc. (www.AppropriateSolutions.com) > [EMAIL PROTECTED] > voice: 603.924.6079 fax: 603.924.8668 > > > -- View this message in context: http://www.nabble.com/pf-examples-needed-tf3021355.html#a8440660 Sent from the openbsd user - misc mailing list archive at Nabble.com.
