[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Redirecting to a 2nd web server



I've got 2 web severs behind a single IP address with NAT. my redirect
rules for the first one (on port 80) work. Now I'm trying to add rules for
the 2nd one. I figure I will use port 8080 for the external port. So I
added these rules:
rdr on $ext_if proto tcp from any to any port 8080 -> $myth port 80
pass in on $ext_if inet proto tcp from any to ($ext_if) \
   port 8080 flags S/SA keep state
pass in on $ext_if inet proto tcp from any to $myth \
   port 8080 flags S/SA keep state
Looking at the pflog inteface when I atempt to do this I see:
Script started on Sun Jan  4 11:41:51 2004
koala# bin/d*
tcpdump: WARNING: pflog0: no IPv4 address assigned
tcpdump: listening on pflog0
Jan 04 11:42:02.613185 rule 0/0(match): block in on ep0: 166.84.1.2.54256 > 205.159.77.60.80: S 1164031348:1164031348(0) win 16384 <mss 1460> [tos 0x80]
Jan 04 11:42:08.610080 rule 0/0(match): block in on ep0: 166.84.1.2.54256 > 205.159.77.60.80: S 1164031348:1164031348(0) win 16384 <mss 1460> [tos 0x80]
Jan 04 11:42:20.609821 rule 0/0(match): block in on ep0: 166.84.1.2.54256 > 205.159.77.60.80: S 1164031348:1164031348(0) win 16384 <mss 1460> [tos 0x80]
^C
3 packets received by filter
0 packets dropped by kernel
koala# ^Dexit
Script done on Sun Jan  4 11:42:50 2004
So, cna anyone explain why the external web server is trying to make a
conection on a (seemingly random) high port?
Here's the whole pf.conf, in case I forgot something important:
#	$OpenBSD: pf.conf,v 1.21 2003/09/02 20:38:44 david Exp $
#
# See pf.conf(5) and /usr/share/pf for syntax and examples.
# Required order: options, normalization, queueing, translation, filtering.
# Macros and tables may be defined and used anywhere.
# Note that translation rules are first match while filter rules are last match.
# Macros: define common values, so they can be referenced and changed easily.
ext_if="ep0"	
int_if="fxp1"	
internal_net="205.159.77.0"
priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
# external_addr="68.59.18.241/32"
black="205.159.77.224"
cindy="205.159.77.225"
teddy="205.159.77.231"
myth="205.159.77.60"
# Tables: similar to macros, but more flexible for many addresses.
table <dns_machines> { $black, $cindy }
table <www_machine> { $black }
table <mail_machine> { $black }
table <dcc_machines> { $teddy }
table <mail_readers> { $teddy }
table <ssh_machine> { $black }
tcp_services = "{ ssh, smtp, www, domain }"
icmp_types = "echoreq"
dcc = 6277
set loginterface $ext_if
set fingerprints "/etc/pf.os"
# Normalization: reassemble fragments and resolve or reduce traffic ambiguities.
scrub in all
# nat/rdr
# NAT internal net when going outside
nat on $ext_if from $int_if:network to any -> ($ext_if)
# Redirect these services to black
# will need to add.cahnge if I want to move any service
# to another machine
rdr on $ext_if proto tcp from any to any port $tcp_services -> $black
rdr on $ext_if proto tcp from any to any port 8080 -> $myth port 80
# For ftp proxying
# sends ftp requsts to ftp-proxy task
rdr on $int_if proto tcp from any to any port ftp -> lo0 port 8021
# filter rules
block log all
# Block namp style utilities
block in log quick on $ext_if inet proto tcp from any to any flags FUP/FUP
# pass all to loopback interface
pass quick on lo0 all
antispoof for $ext_if inet
block drop in  quick on $ext_if from $priv_nets to any
block drop out quick on $ext_if from any to $priv_nets
# pass in on $ext_if proto tcp from any port ftp-data to $ext_if port \
# { 55000 <> 57000 } flags S/SA keep state
# pass in on $ext_if inet proto tcp from any to any port > 49151 keep state
pass in on $ext_if proto tcp from any to any port 21 keep state
pass in on $ext_if proto tcp from any to any port > 49151 \
   keep state
pass in on $ext_if inet proto tcp from any to ($ext_if) \
   port $tcp_services flags S/SA keep state
pass in on $ext_if inet proto tcp from any to $black \
   port $tcp_services flags S/SA keep state
pass in on $ext_if inet proto tcp from any to ($ext_if) \
   port 8080 flags S/SA keep state
pass in on $ext_if inet proto tcp from any to $myth \
   port 8080 flags S/SA keep state
# DCC
pass in on $ext_if inet proto udp from any to $teddy \
   port $dcc
pass in inet proto icmp all icmp-type $icmp_types keep state
pass in  on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state
-- 
"They that would give up essential liberty for temporary safety deserve
neither liberty nor safety."
						-- Benjamin Franklin