pf rdr on requests originating from firewall box itself
Hi! I've been using OpenBSD 3.3 release with great success to do redirection from external and internal IPs to internal IPs. I've been using TCP proxying as noted in the FAQ. i.e. /etc/inetd.conf 127.0.0.1:5000 stream tcp nowait nobody /usr/bin/nc nc -w 20 192.168.1.2 80 /etc/pf.conf rdr on $ext_if proto tcp from any to any port 80 - $WWW_IP port 80 rdr on $int_if proto tcp from $int_net to $ext_if port 80 - 127.0.0.1 port 5000 pass in log on $ext_if inet proto tcp from any to $WWW_IP port 80 keep state pass out on $int_if inet proto tcp from any to $WWW_IP port 80 keep state The only thing I haven't been able to figure out is how to correctly redirect requests from the firewall box ITSELF. i.e., while working on the firewall box, # telnet my.domain.name 80 Trying a.b.c.d... Telnet can never connect. Doing the same thing on a computer in the internal network works fine. Of course, using the internal IP also works perfectly. I have played a bit with additional rdr rules in pf.conf, but I haven't found the right one yet. I guess it is an issue with my pf.conf rules and the way things are ordered on the TCP stack (and the interface being used)? Any hints would be greatly appreciated! :) Just wondering, Thank you for your time, Michael
Re: pf rdr on requests originating from firewall box itself
On Saturday, Jun 14, 2003, at 13:52 US/Pacific, Michael Purcaro wrote: I've been using OpenBSD 3.3 release with great success to do redirection from external and internal IPs to internal IPs. I've been using TCP proxying as noted in the FAQ. The only thing I haven't been able to figure out is how to correctly redirect requests from the firewall box ITSELF. i.e., while working on the firewall box, # telnet my.domain.name 80 Trying a.b.c.d... Telnet can never connect. Doing the same thing on a computer in the internal network works fine. Of course, using the internal IP also works perfectly. I have played a bit with additional rdr rules in pf.conf, but I haven't found the right one yet. I guess it is an issue with my pf.conf rules and the way things are ordered on the TCP stack (and the interface being used)? Any hints would be greatly appreciated! :) Yes, this can get a bit complicated. There's a flow diagram at http://mniam.net/pf/pf.png Since routing is handled mainly by the usual kernel processing, it's already too late for that when it's heading out on an interface. But, if all you want is that domain name to work, why not just add an entry to /etc/hosts on the box?
Re: pf rdr on requests originating from firewall box itself
On Sat, Jun 14, 2003 at 04:52:26PM -0400, Michael Purcaro wrote: /etc/inetd.conf 127.0.0.1:5000 stream tcp nowait nobody /usr/bin/nc nc -w 20 192.168.1.2 80 /etc/pf.conf rdr on $ext_if proto tcp from any to any port 80 - $WWW_IP port 80 rdr on $int_if proto tcp from $int_net to $ext_if port 80 - 127.0.0.1 port \ 5000 pass in log on $ext_if inet proto tcp from any to $WWW_IP port 80 keep \ state pass out on $int_if inet proto tcp from any to $WWW_IP port 80 keep \ state # telnet my.domain.name 80 Trying a.b.c.d... assuming 'a.b.c.d' is the IP also assigned to the external interface, which resolves to 'my.domain.name', what about: ### rdr on lo0 inet proto tcp from a.b.c.d to a.b.c.d port 80 tag HELLO - (lo0) port 5000 pass on lo0 keep state tagged HELLO ### i'm working on something not quite entirely unlike that at the moment, so if that's not exactly what you need, lemmie know. jared.