[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: redirect packets from any to different HTTP servers
You can't do it with PF alone. You can replace the ISA server with a
box running say Squid or Apache. The PF box redirects to the Squid/
Apache box, which then proxies the connection on behalf of the client
to the real server or servers. This is a reverse proxy configuration.
I've been using this type of setup for a long time and it works
nicely. Note I also do split DNS so when www.balius.com is looked up
on the Internet they get an IP address that gets them to my proxy.
My proxy then looks up that same hostname and gets a different IP, as
my internal DNS has something else published. The proxy machine is
invisible to clients.
You could put the Squid/Apache process on the same box as PF, but I
would not do that, for security reasons.
On Sep 26, 2005, at 9:23 AM, Raphael GRUNDRICH wrote:
I want to replace an ISA server by PF. This ISA Server does one
thing I can't reproduce under PF.
For each domain it redirect to different host : for exemple
www.domain1.com , www.domain2.net have the same IP address (i.e the
ISA Server public IP) but different IP address inside local lan
because they run on different host.
I guess under ISA this is call "web publication". Can we do the
same thing under PF ?
I have find no examples in the "Building Firewalls with OpenBSD and
PF" book. There is always a redirection (rdr on ...) with one HTTP
server on DMZ.