Hi,
Let's say your ISP gave you 4 public addresses and you want ti use those
for webservers.
Your ISP gave you: X.Y.Z.A, X.Y.Z.B, X.Y.Z.C and X.Y.Z.D
You decide to set up a DMZ and a nice OpenBSD 3.9 to route/NAT/filter
all this stuff, like this:
LAN ==== OpenBSD 3.9 ==== Internet
||
||
DMZ
In the DMZ, web servers are 10.0.0.B, 10.0.0.C, 10.0.0.D.
The first goal is to make 10.0.0.B reachable from Internet.
What i deed was this:
1) in /etc/hostname.ext_if:
inet X.Y.Z.A 255.255.255.248
inet alias X.Y.Z.B 255.255.255.255
inet alias X.Y.Z.C 255.255.255.255
inet alias X.Y.Z.D 255.255.255.255
2) in /etc/pf.conf
# NAT section
binat on ext_if from 10.0.0.B to any -> X.Y.Z.B
# Rules section, i only need https access to this machine.
block all
.
.
.
pass in on ext_if proto tcp from any to X.Y.Z.B port https
pass out in dmz_if proto tcp from any to 10.0.0.B port https
pass in on dmz_if proto tcp from 10.0.0.B port https to any
pass out on ext_if proto tcp from X.Y.Z.B port https to any
Well ... this does not work and i can't find a reason why.
What i noticed:
When logged on the OpenBSD box, a "telnet 10.0.0.B 443" works fine.
However, from the outside, i can't reach the port, as if the address was
not translated and the packet was routed to the openBSD box where no web
server runs.
Some of you sure have set up many DMZ, thanks to those who can give a
tip !!!
Cheers
