Re: pf icmp redirect question
On Fri, 30 May 2014 19:32:32 +0100 André Lucas an...@ae-35.com wrote: Or if you're concerned about the the ICMP messages related to PMTUd, they're automatically forwarded as part of the connection state tracking IIRC. -Andr__ That was my main concern, thanx for clarifying. -- Marko Cupać
pf icmp redirect question
Hi, let's say for example I have web server on internal network, and I have redirected tcp port 80 from firewall to it: pass in on $ext_if inet proto tcp from any to $pub_web port 80 \ rdr-to $priv_web Assuming that $pub_web ip address is used exclusively for web server access, and no other ports are redirected to other internal addresses, should I also redirect icmp: pass in on $ext_if inet proto icmp from any to $pub_web rdr-to $priv_web Thank you in advance, -- Marko Cupać
Re: pf icmp redirect question
Marko Cupa??(marko.cu...@mimar.rs) on 2014.05.30 11:32:14 +0200: Hi, let's say for example I have web server on internal network, and I have redirected tcp port 80 from firewall to it: pass in on $ext_if inet proto tcp from any to $pub_web port 80 \ rdr-to $priv_web From the wording of your subject, i suspect you somehow think that rdr-to has something to do with icmp redirects, icmp messages with type 5. This is not so. Assuming that $pub_web ip address is used exclusively for web server access, and no other ports are redirected to other internal addresses, should I also redirect icmp: pass in on $ext_if inet proto icmp from any to $pub_web rdr-to $priv_web No.
Re: pf icmp redirect question
On 30 May 2014 at 13:56, Sebastian Benoit wrote: Marko Cupa??(marko.cu...@mimar.rs) on 2014.05.30 11:32:14 +0200: Hi, let's say for example I have web server on internal network, and I have redirected tcp port 80 from firewall to it: pass in on $ext_if inet proto tcp from any to $pub_web port 80 \ rdr-to $priv_web From the wording of your subject, i suspect you somehow think that rdr-to has something to do with icmp redirects, icmp messages with type 5. This is not so. This is correct. Assuming that $pub_web ip address is used exclusively for web server access, and no other ports are redirected to other internal addresses, should I also redirect icmp: pass in on $ext_if inet proto icmp from any to $pub_web rdr-to $priv_web No. This is not entirely correct -- you *may* want to have the above redirect *if* you want external users to be able to ping the real web server to ascertain that it is up, in which case you probably want to limit icmp types to echo-request/echo-reply (you certainly do NOT want to pass through the icmp redirect or the many other routing controls).
Re: pf icmp redirect question
On 30 May 2014 19:13, System Administrator ad...@bitwise.net wrote: On 30 May 2014 at 13:56, Sebastian Benoit wrote: Marko Cupa??(marko.cu...@mimar.rs) on 2014.05.30 11:32:14 +0200: Assuming that $pub_web ip address is used exclusively for web server access, and no other ports are redirected to other internal addresses, should I also redirect icmp: pass in on $ext_if inet proto icmp from any to $pub_web rdr-to $priv_web No. This is not entirely correct -- you *may* want to have the above redirect *if* you want external users to be able to ping the real web server to ascertain that it is up, in which case you probably want to limit icmp types to echo-request/echo-reply (you certainly do NOT want to pass through the icmp redirect or the many other routing controls). Or if you're concerned about the the ICMP messages related to PMTUd, they're automatically forwarded as part of the connection state tracking IIRC. -André