Hi Daniel,
thanks for your replies. With my newly gained knowledge about pf i tried to find
a workable solution for my problem using 3.1-stable but failed (i think it was
to be expected :).
So i thought about how it could be done expanding the current pf (as i
understand pf right now) and came up with 3 ways:
1) rdr on de0 inet proto tcp from any to 195.200.200.201 port http \
-> 192.168.0.100 port http
pass in quick on de0 route-replies-to de0 inet proto tcp \
from any to 192.168.0.100 port http
This is your proposal. Maybe this is the only one that would be sensible to do,
but nevertheless i though about different ways of doing it :) The one thing that
i don't really like in this solution is that i would have to open a private IP
on the outer interface for this to work.
2) pass in quick on de0 route-into de1 inet proto tcp \
from any to 195.200.200.201 port http keep state
rdr on de1 inet proto tcp from any to 195.200.200.201 port http \
-> 192.168.0.100 port http
In this example, there would be a route-into, which should pass the packet INTO
and not OUT-OF de1, as a route-to would do, so the rdr rule would be evaluated.
But i'm not sure what would happen with the packet after it went into de1. I
guess it would be evaluated by the kernel and get routed again out of de1.
3) pass in quick on de0 route-to de1 inet proto tcp \
from any to 195.200.200.201 port http keep state
rdr-out on de1 inet proto tcp from any to 195.200.200.201 port http \
-> 192.168.0.100 port http
The problem here is that rdr only works on incoming connections, so rdr rules
doesn't apply. If there would be a rdr-out for outgoing connections translating
the destination it should work.
I prefer the third possibility, but i don't know the pf source (had a quick
glance, but that is not enough to understand it :).
> I'm not sure this is a common enough case to warrant the extention,
> but it kind of makes sense to me. Any opinions? :)
Is this really such a rare case? It should happen nearly always when you have
two external interfaces and provide services to the world, which are not on the
router/fw. Or is this easier doable and i try to accomplish things the hard way?
If so, could someone please point me in the right direction?
So if there would be a voting (ok, this is not a democracy but one can vote
nevertheless :), here is the first vote for an extension of pf into this
direction (preferably using the third alternative, but that is just a matter of
taste). And if this extension is really seriously taken into consideration, how
can i help?
Thanks, Clemens
