[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: redirect packets from any to different HTTP servers

You can't do it with PF alone. You can replace the ISA server with a box running say Squid or Apache. The PF box redirects to the Squid/ Apache box, which then proxies the connection on behalf of the client to the real server or servers. This is a reverse proxy configuration.

I've been using this type of setup for a long time and it works nicely. Note I also do split DNS so when www.balius.com is looked up on the Internet they get an IP address that gets them to my proxy. My proxy then looks up that same hostname and gets a different IP, as my internal DNS has something else published. The proxy machine is invisible to clients.

You could put the Squid/Apache process on the same box as PF, but I would not do that, for security reasons.


On Sep 26, 2005, at 9:23 AM, Raphael GRUNDRICH wrote:


I want to replace an ISA server by PF. This ISA Server does one thing I can't reproduce under PF.
For each domain it redirect to different host : for exemple www.domain1.com , www.domain2.net have the same IP address (i.e the ISA Server public IP) but different IP address inside local lan because they run on different host.
I guess under ISA this is call "web publication". Can we do the same thing under PF ?
I have find no examples in the "Building Firewalls with OpenBSD and PF" book. There is always a redirection (rdr on ...) with one HTTP server on DMZ.