Hi!
If i understood correctly all your stuff behind pf firewall is in the
192.168.0.0/24 subnet and when trying to access your webserver from one
of the workstations it doesnt work. My guess is that you are using
public nameserver which resolves webserver's name to the ip address
which is your firewall's public address and thats because packets aint
getting from internal clients to the destination. Here could be two
solutions
1. use separate name resolution for internal clients, so that when
resolving your webservers name, they get 192.168.0.4. Then traffic
doenst even go thru firewall between clients and webserver, they can
communicate directly.
2. rewrite packets in firewall. Essentially you need to rewrite src ja
dst addresses of the packets that come from local clients into the
firewall so that firewall routes them to the 192.168.0.4 and replies get
routed back. It could be done with the similar rules
rdr on $int_if proto tcp from 192.168.0.0/24 to web.server.public.ip
port 80 -> 192.168.0.4
no nat on $int_if proto tcp from firewall.internat.ip to 192.168.0.0/24
nat on $int_if proto tcp from 192.168.0.0/24 to 192.168.0.4 port 443 ->
firewall.internal.ip
rdr says to write dst address, and nat says to rewrite src address. no
nat says not to touch packets that originate from firewall itself.
This should be done along the lines of
http://www.openbsd.org/faq/pf/rdr.html#rdrnat
3. make your workstations use some http proxy from public internet
In term of traffic generation and speed the last options is worst but
requires least effort, second is better and first is the best.
I hope i didnt mix something inadverntanly up!
Best regards
Imre
PS First of all you could just try to access your webserver with its ip
address instead of domainname, or put temporarily into one of your unix
laptop's /etc/hosts line like that and test
192.168.0.4 webservers.domainname
Bales, Tracy wrote:
I have the following network configuration:
Internet....Firewall....Network Switch....Web-Server
Windows XP Desktop #1
Windows XP Desktop #2
Windows XP Desktop #3
Wireless AP.....Windows XP Laptop #1
Windows XP Laptop #2
Ubuntu Laptop
Windows XP Work Laptop
My firewall is a Sun Netra X1 running OpenBSD 4.2 Stable, and has pf
with NAT and RDR rules and I have dhcpd running on the internal network
on the 192.168.0.0/24 subnet.
My web-server is a Sun Netra T1 running OpenBSD 4.2 Release. My
firewall assigns a fixed IP address via DHCP to the web-server which is
192.168.0.4.
My wireless access point is a DLink 800+. My firewall assigns a fixed
IP address via DHCP to the access point which is 192.168.0.2.
Here's my dilemma. All of my desktops and laptops can access the
internet including accessing a VPN server for my work laptop. BUT I
CANNOT access my internal web-server at 192.168.0.4!!!
I've looked on the internet for pf rules but they only offer solutions
that can access either the internet or the web-server only but not both.
****I've looked at the OpenBSD pf FAQ and tried the inetd(8) with nc(1)
suggestion but...it blocks web access to the internet.
****Does anyone have a suggestion on how I can get my desktops and
laptops to get access to the internet AND my web-server?
Here's my pf.conf setup that allows all of my desktops and laptops to
get to the internet but not my web-server...
# macros
ext_if="dc0"
int_if="dc1"
web_server="192.168.0.4"
# scrub
scrub in
# nat
nat on $ext_if from !($ext_if) to any -> ($ext_if:0)
# redirection
rdr on $ext_if proto tcp from any to any port 80 -> $web_server
# filter rules
block in
pass out keep state
antispoof for { lo $int_if }
## take care of lo traffic
pass quick on lo all
## block inet6 traffic
block in quick inet6
## block broadcast noise
block in quick on $ext_if from any to 255.255.255.255
## take care of VPN
pass in quick proto gre all
pass out quick proto gre all
## pass out all UDP connections and keep state
pass out on $ext_if proto udp from ($ext_if) to any keep state
## pass out all ICMP connections and keep state
pass out on $ext_if inet proto icmp from ($ext_if) to any keep state
## pass SSH traffic to firewall
pass in quick on $ext_if inet proto tcp from any to ($ext_if) port 22
flags S/SA keep state
## pass web traffic to web_server
pass in on $ext_if inet proto tcp from any to $web_server port 80 flags
S/SA synproxy state
## pass everything else
pass in quick on $int_if
