[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

How do I allow packages from internal net to go back to internalserver?



Hi,
My setup is that I have an internal https webserver (linux_1), an
OpenBSD 3.5 firewall and a dynamic dns setup.
I can contact linux_1 from the outside by redirecting packages on
$ext_if port https to $linux_1 port https. 
I can likewise contact linux_1 from the inside by using its local IP
address.
I have used dyndns.org to attach $ext_if to a DNS alias.
I would like internal and external requests to use the same URL. So my
question is:
How do I configure pf to allow connections from the internal network
when using the dns alias directly??
Thanks a lot for any help,
  jules
############ pf.conf #############
#       $OpenBSD: pf.conf,v 1.21 2003/09/02 20:38:44 david Exp $
#
# See pf.conf(5) and /usr/share/pf for syntax and examples.
# Required order: options, normalization, queueing, translation, filtering.
# Macros and tables may be defined and used anywhere.
# Note that translation rules are first match while filter rules are last match.
 
# Macros: define common values, so they can be referenced and changed easily.
ext_if = "fxp0" # replace with actual external interface name i.e., dc0
int_if = "fxp1" # replace with actual internal interface name i.e., dc1
admin_services = "{ 22, 8001, 8002 }" # SSH, BK/WEB
fw_admin_port = "{ 8022 }" # SSH
public_services = "{ 443 }" # HTTPS
icmp_types = "echoreq" # To allow ping(8)
linux_1 = "10.0.0.2" # Internal linux server
admin_home = "80.62.76.190"
 
# Tables: similar to macros, but more flexible for many addresses.
table <priv_nets> const { 127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 }
 
# Options: tune the behavior of pf, default values are given.
set loginterface $ext_if
set block-policy drop # or "return"
set fingerprints "/etc/pf.os"
 
# Normalization: reassemble fragments and resolve or reduce traffic ambiguities.
scrub in all # This might give problems for OpenVPN, NFS and games
 
# Translation: specify how addresses are to be mapped or redirected.
# nat: packets going out through $ext_if with source address $int_if:network
# will get translated as coming from the address of $ext_if, a state is
# created for such packets, and incoming packets will be redirected to the
# internal address.
nat on $ext_if from $int_if:network to any -> ($ext_if)
 
# rdr incomming SSH, HTTP and HTTPS traffic to $linux_1
rdr on $ext_if proto tcp from any to $ext_if port https -> $linux_1 port https
rdr on $ext_if proto tcp from any to $ext_if port ssh -> $linux_1 port ssh
rdr on $ext_if proto tcp from any to $ext_if port 8001 -> $linux_1 port 8001
rdr on $ext_if proto tcp from any to $ext_if port 8002 -> $linux_1 port 8002
 
# rdr bittorrent requests to linux_1
rdr on $ext_if proto tcp from any to $ext_if port 6881:6999 -> $linux_1 port 6881:6999
 
# rdr outgoing FTP requests to the ftp-proxy
rdr on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021
 
# Filtering, default block
block in log all
block out log all
 
# Loopback interface
pass quick on lo0 all
 
# Prevent leak/entry of internal addresses
block drop in quick on $ext_if from <priv_nets> to any
block drop out quick on $ext_if from any to <priv_nets>
 
# Open for bittorrent to linux_1
pass in on $ext_if inet proto tcp from any to $linux_1 port 6880><7000 flags S/SA keep state
 
# Open for allowed TCP services from $admin_home to firewall
pass in log on $ext_if inet proto tcp from any to $linux_1 port $admin_services flags S/SA keep state
pass in log on $ext_if inet proto tcp from $admin_home to ($ext_if) port $fw_admin_port flags S/SA keep state
 
# Open for allowed TCP services from outside to $linux_1
pass in log on $ext_if inet proto tcp from any to $linux_1 port $public_services flags S/SA keep state
                                                                                                                             
# Allow ICMP traffic for ping(8)
pass in inet proto icmp all icmp-type $icmp_types keep state
 
# Allow any traffic on $int_if
pass in on $int_if from $int_if:network to any keep state
 
# Allow connections from the firewall to the internal net
pass out on $int_if from any to $int_if:network keep state
 
# Pass traffic out on the external interface
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state