[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: How do I allow packages from internal net to go back to internalserver?



Why not set up an internal DNS server that is the master for the domain that you list in dyndns?

Jules Colding wrote:

Hi,

My setup is that I have an internal https webserver (linux_1), an
OpenBSD 3.5 firewall and a dynamic dns setup.

I can contact linux_1 from the outside by redirecting packages on
$ext_if port https to $linux_1 port https.


I can likewise contact linux_1 from the inside by using its local IP
address.

I have used dyndns.org to attach $ext_if to a DNS alias.

I would like internal and external requests to use the same URL. So my
question is:

How do I configure pf to allow connections from the internal network
when using the dns alias directly??

Thanks a lot for any help,
 jules

############ pf.conf #############
#       $OpenBSD: pf.conf,v 1.21 2003/09/02 20:38:44 david Exp $
#
# See pf.conf(5) and /usr/share/pf for syntax and examples.
# Required order: options, normalization, queueing, translation, filtering.
# Macros and tables may be defined and used anywhere.
# Note that translation rules are first match while filter rules are last match.

# Macros: define common values, so they can be referenced and changed easily.
ext_if = "fxp0" # replace with actual external interface name i.e., dc0
int_if = "fxp1" # replace with actual internal interface name i.e., dc1
admin_services = "{ 22, 8001, 8002 }" # SSH, BK/WEB
fw_admin_port = "{ 8022 }" # SSH
public_services = "{ 443 }" # HTTPS
icmp_types = "echoreq" # To allow ping(8)
linux_1 = "10.0.0.2" # Internal linux server
admin_home = "80.62.76.190"

# Tables: similar to macros, but more flexible for many addresses.
table <priv_nets> const { 127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 }

# Options: tune the behavior of pf, default values are given.
set loginterface $ext_if
set block-policy drop # or "return"
set fingerprints "/etc/pf.os"

# Normalization: reassemble fragments and resolve or reduce traffic ambiguities.
scrub in all # This might give problems for OpenVPN, NFS and games

# Translation: specify how addresses are to be mapped or redirected.
# nat: packets going out through $ext_if with source address $int_if:network
# will get translated as coming from the address of $ext_if, a state is
# created for such packets, and incoming packets will be redirected to the
# internal address.
nat on $ext_if from $int_if:network to any -> ($ext_if)

# rdr incomming SSH, HTTP and HTTPS traffic to $linux_1
rdr on $ext_if proto tcp from any to $ext_if port https -> $linux_1 port https
rdr on $ext_if proto tcp from any to $ext_if port ssh -> $linux_1 port ssh
rdr on $ext_if proto tcp from any to $ext_if port 8001 -> $linux_1 port 8001
rdr on $ext_if proto tcp from any to $ext_if port 8002 -> $linux_1 port 8002

# rdr bittorrent requests to linux_1
rdr on $ext_if proto tcp from any to $ext_if port 6881:6999 -> $linux_1 port 6881:6999

# rdr outgoing FTP requests to the ftp-proxy
rdr on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021

# Filtering, default block
block in log all
block out log all

# Loopback interface
pass quick on lo0 all

# Prevent leak/entry of internal addresses
block drop in quick on $ext_if from <priv_nets> to any
block drop out quick on $ext_if from any to <priv_nets>

# Open for bittorrent to linux_1
pass in on $ext_if inet proto tcp from any to $linux_1 port 6880><7000 flags S/SA keep state

# Open for allowed TCP services from $admin_home to firewall
pass in log on $ext_if inet proto tcp from any to $linux_1 port $admin_services flags S/SA keep state
pass in log on $ext_if inet proto tcp from $admin_home to ($ext_if) port $fw_admin_port flags S/SA keep state

# Open for allowed TCP services from outside to $linux_1
pass in log on $ext_if inet proto tcp from any to $linux_1 port $public_services flags S/SA keep state
# Allow ICMP traffic for ping(8)
pass in inet proto icmp all icmp-type $icmp_types keep state


# Allow any traffic on $int_if
pass in on $int_if from $int_if:network to any keep state

# Allow connections from the firewall to the internal net
pass out on $int_if from any to $int_if:network keep state

# Pass traffic out on the external interface
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state