[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

ipf rules not working; is binat the solution?



Can anybody point me to a sample pf.conf file that
would cover the following scenario? My old rules from
ipfilter and ipnat don't seem to be working.
I have an OpenBSD box as a firewall/router between the
outside and a single PC on the inside hosting two web
sites on different addresses and ports. The way it was
working with ipf (and the way I would like it to
continue working, so I don't have to change my
httpd.conf file -- not wanting to break more than one
thing at a time) is that incoming requests to
foo.com:80 were redirected to 192.168.0.1:8080 and
those to bar.com:80 were redirected to
192.168.0.2:8090. This has worked fine for me with
ipf.
And all outgoing connections from inside were given
the same IP address, that of the external interface on
the gateway.
Is what I describe an application of binat? I'm
confused about what binat is for but am wondering if
binat is what I need since the old ipf rules aren't
working. The documentation online is frustrating -- a
lot of it has been written before the integration of
pf.conf and nat.conf, apparently; there is exactly one
example of binat in the pf.conf man page, and it is a
pretty unenlightening example; also, NAT is covered
after filtering in the man page, when in fact one
needs to understand and configure NAT in pf.conf
*before* the filtering configuration, if both are
used; the HOWTO doesn't mention binat, and says this
is how to load the rule set:
pfctl -R /etc/pf.conf
What that line does is load the filtering rules, and
ignore the NAT rules -- but the HOWTO doesn't say
that. Then again, I am confused, so maybe I'm also
wrong -- any corrections would be appreciated!
Sorry about the rant. I understand things are evolving
and the documents need time to catch up, so my whining
about the documents is not just meant as a complaint,
but more to say yes, I have tried to read the fine
manual. Hopefully the manuals will be even more fine
soon.
So in the meantime is there anyone running a similar
setup who would be willing to share the NAT part of
your rule set? I've scoured the PF part of my rules
pretty well and they seem OK. Am happy to post them if
that would help...
__________________________________________________
Do you Yahoo!?
Yahoo! Web Hosting - Let the expert host your site
http://webhosting.yahoo.com