View Single Post
  #2   (View Single Post)  
Old 16th April 2012
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Heather, welcome back!

First, I note you've edited this posting. Those who had already read it will not know you've edited it. In your additional information, which you top-posted, you wrote:
Quote:
part of my pf.conf here
You'll want to post the entire file, if you want us to review it. Partial information isn't very helpful.

I can't quite tell which apache server you have decided to run, either the built in Apache 1.3 or the Apache2 port. I do not think that is germane to your problem.

I also am clueless about your network configuration. Is your OpenBSD platform acting as a NAT router? If so, then even without seeing your PF configuration, I will assume your tests will always fail, proper configuration or not, if you are testing from behind the router.

The PF User's Guide chapter on Traffic Redirection (Port Forwarding) has this to say, highlights mine:
Quote:
Redirection and Reflection

Often, redirection rules are used to forward incoming connections from the Internet to a local server with a private address in the internal network or LAN, as in:
server = 192.168.1.40

pass in on $ext_if proto tcp from any to $ext_if port 80 \
rdr-to $server port 80
But when the redirection rule is tested from a client on the LAN, it doesn't work. The reason is that redirection rules apply only to packets that pass through the specified interface ($ext_if, the external interface, in the example). Connecting to the external address of the firewall from a host on the LAN, however, does not mean the packets will actually pass through its external interface. The TCP/IP stack on the firewall compares the destination address of incoming packets with its own addresses and aliases and detects connections to itself as soon as they have passed the internal interface. Such packets do not physically pass through the external interface, and the stack does not simulate such a passage in any way. Thus, PF never sees these packets on the external interface, and the redirection rule, specifying the external interface, does not apply.
That chapter continues with several alternative solutions for addressing a forwarded server from inside and outside a translated LAN network.
Reply With Quote