Thanks Imre!!! That seems to have done the trick for both issues.
Cheers!
-Parvinder Bhasin
On Aug 21, 2008, at 2:28 PM, Imre Oolberg wrote:
Hallo!
My guess is you dont get anything logged since you pass with rdr
rules. Maybe it is cleaner to keep translation and filtering
separate, e.g. have translation rules like this
rdr on $ext_if proto tcp from any to $webby_ip port 80 ->
$webby_server port 80
And then you need to pass not to the external interface's ip address
but to where is your so to say real server, e.g. rule
pass in on $ext_if proto tcp from any to $webby_ip port 80 keep state
should rather read
pass in on $ext_if proto tcp from any to $webby_server port 80 keep
state
And also note that rule like this works when there aint other rules
what matches the package. Maybe it is more straight-forward at least
for debugging to add to it 'quick' keyword which makes the rule
match no matter what follows, like this
pass in quick on $ext_if proto tcp from any to $webby_server port 80
keep state
Imre
Parvinder Bhasin wrote:
List,
I am having some issues while redirecting traffic to port 80 on the
$squid_server.
I have this server serving two purpose: apache web server and
squid server. I can definately get to the PROXY services fine but
cannot get to the WWW (port 80) on the same server.
Another issue is that when I try to actively look at the pflog by
running "tcpdump -n -e -ttt -i pflog0 " , I don't get anything
even when the traffic is passing and/or getting blocked.
Any help is highly appreciated.
thx.
For this I have the following pf config:
ext_if="sk0"
int_if="gem0"
pf_log="pflog0"
webby
set skip on enc0
set skip on gre0
external_ip="70.40.22.17"
external_ips="{70.40.22.17 70.40.22.18 70.40.22.19}"
external_net="{70.40.22.17 70.40.22.18 70.40.22.19}"
internal_ip="172.16.10.10"
internal_networks="{172.16.10.0/24 172.16.100.0/24 172.16.200.0/24}"
webby_ip="70.40.22.18"
webby_server="172.16.10.11"
squid_ip="70.40.22.19"
squid_server="172.16.10.12"
# block_ip="70.40.22.20"
block_server="172.16.10.12"
######TABLES########
table <bruteforce> persist
table <kiddies> persist
#### OPTIONS #####
set loginterface $ext_if
set loginterface $int_if
scrub in
#### NAT/REDIRECTS ####
nat on $ext_if from !($ext_if) to any -> ($ext_if:0)
# rdr pass on $ext_if proto tcp from any to $block_ip port 80 ->
$squid_server port 80
rdr pass on $ext_if proto tcp from any to $webby_ip port 80 ->
$webby_server port 80
rdr pass on $ext_if proto tcp from any to $webby_ip port 443 ->
$webby_server port 443
rdr pass on $ext_if proto tcp from any to $squid_ip port 3128 ->
$squid_server port 3128
rdr pass on $ext_if proto tcp from any to $squid_ip port 80 ->
$squid_server port 80
###### FILTERS #####
block log quick from <bruteforce>
block log quick from <kiddies>
block in log on $pf_log
# pass in quick on $int_if
pass out keep state
pass in on $ext_if proto icmp from any to $external_ip keep state
pass in on $ext_if proto tcp from any to $external_ip port ssh keep
state
pass in on $ext_if proto tcp from any to $webby_ip port 80 keep state
pass in on $ext_if proto tcp from any to $webby_ip port 443 keep
state
pass in log (all, to $pf_log) on $ext_if proto tcp from any to
$squid_ip port 3128 keep state
pass in on $ext_if proto tcp from any to $squid_ip port 80 keep state
# pass in on $ext_if proto tcp from any to $block_ip port 80 keep
state
pass in on $ext_if proto tcp from any to $external_ips port 22 keep
state
pass inet proto tcp from any to $external_net port 22 flags S/SA
keep state (max-src-conn 25, max-src-conn-rate 15/5, overload
<bruteforce> flush global)
# block in quick on $ext_if
