[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ipf rules not working; is binat the solution?



On Tue, Nov 19, 2002 at 08:16:14PM -0800, Ed Herkel wrote:
> I have an OpenBSD box as a firewall/router between the
> outside and a single PC on the inside hosting two web
> sites on different addresses and ports. The way it was
> working with ipf (and the way I would like it to
> continue working, so I don't have to change my
> httpd.conf file -- not wanting to break more than one
> thing at a time) is that incoming requests to
> foo.com:80 were redirected to 192.168.0.1:8080 and
> those to bar.com:80 were redirected to
> 192.168.0.2:8090. This has worked fine for me with
> ipf.
> And all outgoing connections from inside were given
> the same IP address, that of the external interface on
> the gateway.
First, pf (as ipf) can redirect based on addresses, not domain names.
Neither of them looks inside HTTP requests and uses packet payload to
redirect to different servers. So, do you mean two specific IP addresses
when you say "foo.com:80" and "bar.com:80"?
If "foo.com" is a dedicated routable address assigned to the external
interface of the gateway, you either use an rdr rule to redirect port 80
to the internal web server:
  rdr on $ext_if inet proto tcp from any to 1.2.3.4 port 80 \
    -> 192.168.0.1 port 8080
and similarly for the second server. These then cover all incoming
connections to 1.2.3.4 port 80.
If it's ok to map all outgoing connections to the primary address of the
external interface (which can be either a third routable address or one
of the two used by the web servers), a single nat rule will do:
  nat on $ext_if from 192.168.0.0/16 to any -> $ext_if
If you have three dedicated routable addresses on the external interface
(one for each web server, one for the gateway itself), you could use
binat to forward all connections to and from the web servers to their
own external addresses:
  binat on $ext_if from 192.168.0.1 to any -> 1.2.3.4
  binat on $ext_if from 192.168.0.2 to any -> 5.6.7.8
  nat on $ext_if from 192.168.0.0/16 to any -> $ext_if
But if the only connections from and to the web servers are incoming TCP
connections to port 80, the two rdr rules are sufficient, and you don't
need the binat rules. The advantage of the binat rules would be that
they cover all ports, as well as map outgoing connections to the
respective external address of each web server, instead of just the
single external address of the gateway.
Daniel