View Single Post
  #5   (View Single Post)  
Old 24th March 2013
petter petter is offline
Port Guard
 
Join Date: Feb 2013
Posts: 12
Default

i have configured openbsd 5.2 as a dhcp server/router. i have one internal network with servers and clients. one of my servers running HAVP (Http Anti Virus Proxy) with ClamAV and AVG as scanners. i want to direct all http traffic to port 8080 on my server running HAVP from my local network. i have also a web server with http/https port directed from my local network.
any suggestions for how to solve this, or could i use dup-to? thanks.

p.s! i have also a extra network card i could use to create a own DMZ for the server network if that would be easier.
pf.conf:

Code:
# Set network interfaces
ext_if="em0" #internet
int_if="em1" #LAN
int_net="192.168.1.0/24"
wwwserver = "192.168.1.12"
openvpn ="192.168.1.148"
windows ="192.168.1.15"
# Non-routable IP numbers
nonroutable = "{ 192.168.0.0/16, 127.0.0.0/8, 172.16.0.0/12, 10.0.0.0/8,
    0.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 204.152.64.0/23, 224.0.0.0/3,
    255.255.255.255/32 }"

# Skip all loopback traffic
set skip on lo

match in all scrub (no-df)

##external
# DEFAULT IS BLOCK IN FROM INTERNET, PASS ALL ELSE
block log all
pass out on $ext_if all

#nonroutable
block in quick on $ext_if from $nonroutable to any
block out quick on $ext_if from any to $nonroutable

##ssh-block##
table <ssh_block> persist file "/etc/ssh_block"
block drop in from <ssh_block> to any

##internal
# Allow inbound traffic on internal interface
pass  on $int_if all

# Protect against spoofing
antispoof quick for { $int_if, lo0 }


## Nat ##
pass out on $ext_if from $int_if:network to any nat-to ($ext_if)

#AV scan http traffic
 #pass in quick on $int_if proto tcp from any to any port 80 \
 # rdr-to 192.168.1.11 port 8080

##iptv
 #nrk1
  #pass in quick on $ext_if inet proto udp from any to any port 1234 rdr-to 192.168.1.14
  #pass quick on { $ext_if, $int_if } proto igmp allow-opts

##web server##
 pass in quick on $ext_if proto { tcp } from any to any port { http, https } flags S/SA rdr-to $wwwserver

 pass in on $int_if proto tcp from $int_net to $ext_if port { http, https } \
                   rdr-to $wwwserver
           pass out on $int_if proto tcp to $wwwserver port { http, https } \
                   received-on $int_if nat-to $int_if
##openvpn-ubuntu##
 #openvpn#
  pass in quick on $ext_if proto { tcp, udp } from any to any port { 1194 } flags S/SA rdr-to $openvpn
  
  pass in on $int_if proto { tcp, udp } from $int_net to $ext_if port { 1194 } \
               rdr-to $openvpn
  
  pass out on $int_if proto { tcp, udp } to $openvpn port { 1194 } \
                received-on $int_if nat-to $int_if
 #ssh#
  pass in quick on $ext_if proto { tcp } from any to any port { 2301 } flags S/SA rdr-to $openvpn

##windows Server2012##
 #plex#
  pass in quick on $ext_if proto { tcp, udp } from any to any port { 32400 } flags S/SA rdr-to $windows

 ##Microsoft VPN
  #PPTP#
    pass in log quick on $ext_if proto { tcp, udp } from any to ($ext_if) port 1723 \
        rdr-to $windows port 1723
  #L2TP#
    pass in log quick on $ext_if proto { tcp, udp } from any to ($ext_if) port 1701 \
        rdr-to $windows port 1701

    pass in log quick on $ext_if proto { tcp, udp } from any to ($ext_if) port 4500 \
        rdr-to $windows port 4500

    pass in log quick on $ext_if proto { tcp, udp } from any to ($ext_if) port 500 \
        rdr-to $windows port 500
Reply With Quote