View Single Post
  #7   (View Single Post)  
Old 24th March 2013
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Quote:
Originally Posted by petter View Post
...i have also a web server with http/https port directed from my local network...
This confuses me. At the moment, you have commented out the HAVP redirection. For this discussion, I have removed the comments:
Code:
.
.
.
pass in quick on $int_if proto tcp from any to any port 80 \
rdr-to 192.168.1.11 port 8080
.
.
.
pass in on $int_if proto tcp from $int_net to $ext_if port { http, https } \
                 rdr-to $wwwserver
.
.
.
These two rules will affect the same traffic. The "http" port mentioned in the second rule is port 80, the same as in the first rule.
The names for standard port numbers are defined in /etc/services. The file structure is defined in the services(5) man page.
Both of your rules intercept all traffic sourced from your internal LAN destined for web servers reachable on your external network. Instead of letting the traffic pass to the destination requested, they redirect that traffic to local servers. The first rule redirects all traffic to your HAVP server, the second rule redirects the same traffic to your web server.

However, PF has a simple way of handling conflicts. The last matching rule wins. The first rule will be ignored, the second rule will apply, and all outbound traffic will be redirected to $wwwserver.
I do not understand why are you redirecting all outbound web traffic to your local web server. For example, with this rule set, if a workstation on your local network attempted to reach www.daemonforums.org, those requests would be redirected to your local web server instead. With this rule set, no outbound HTTP/S traffic is currently possible from your internal network.
While dup-to can replicate packets, keep in mind that HTTP and HTTPS are sent via TCP. TCP traffic is unicast and includes flow control, error detection and correction. Replicated traffic is likely to cause more problems than it solves, unless $wwwserver is not a web server at all but a passive monitor.
Reply With Quote