View Single Post
Old 10th July 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

I believe you have two problems. #1:
Quote:
pass in log quick on $ext_if proto { tcp udp } from any to $server port 80 flags S/SA
I don't believe this rule will ever match a packet. The incoming traffic is destined for the IP address of your OpenBSD router on em0; there will normally never be an incoming packet from em0 (the Internet) destined for 192.168.0.10, that is an RFC 1918 address.

#2:
Quote:
rdr pass on $ext_if proto { tcp udp } from any to any port 80 -> $server port 80
This should cause a redirect of TCP and UDP traffic on em0, with a destination port 80, towards 192.168.0.10, as you intended. That traffic is passed IN, as you intend, due to the "pass" in the rdr rule. (If I recall correctly, UDP is not used with http protocol, so any UDP traffic will be ignored by the web server. You should be able to safely remove UDP from your rdr rule.)

However, the redirected traffic needs its own pass rule. That's because you are running NAT, which changes the destination address from your IP address on the Internet to 192.168.0.10. I would add a rule something like:
Quote:
pass out log on $int_if from any to $server port 80
As I stated initially, PF doesn't know which of your interfaces is internal or external, and "in" and "out" are directions in and out of your NICs. This outbound pass rule goes *out* of your OpenBSD router, but towards your internal LAN.
Reply With Quote