i have configured openbsd 5.2 as a dhcp server/router. i have one internal network with servers and clients. one of my servers running HAVP (Http Anti Virus Proxy) with ClamAV and AVG as scanners. i want to direct all http traffic to port 8080 on my server running HAVP from my local network. i have also a web server with http/https port directed from my local network.
any suggestions for how to solve this, or could i use dup-to? thanks.
p.s! i have also a extra network card i could use to create a own DMZ for the server network if that would be easier.
pf.conf:
Code:
# Set network interfaces
ext_if="em0" #internet
int_if="em1" #LAN
int_net="192.168.1.0/24"
wwwserver = "192.168.1.12"
openvpn ="192.168.1.148"
windows ="192.168.1.15"
# Non-routable IP numbers
nonroutable = "{ 192.168.0.0/16, 127.0.0.0/8, 172.16.0.0/12, 10.0.0.0/8,
0.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 204.152.64.0/23, 224.0.0.0/3,
255.255.255.255/32 }"
# Skip all loopback traffic
set skip on lo
match in all scrub (no-df)
##external
# DEFAULT IS BLOCK IN FROM INTERNET, PASS ALL ELSE
block log all
pass out on $ext_if all
#nonroutable
block in quick on $ext_if from $nonroutable to any
block out quick on $ext_if from any to $nonroutable
##ssh-block##
table <ssh_block> persist file "/etc/ssh_block"
block drop in from <ssh_block> to any
##internal
# Allow inbound traffic on internal interface
pass on $int_if all
# Protect against spoofing
antispoof quick for { $int_if, lo0 }
## Nat ##
pass out on $ext_if from $int_if:network to any nat-to ($ext_if)
#AV scan http traffic
#pass in quick on $int_if proto tcp from any to any port 80 \
# rdr-to 192.168.1.11 port 8080
##iptv
#nrk1
#pass in quick on $ext_if inet proto udp from any to any port 1234 rdr-to 192.168.1.14
#pass quick on { $ext_if, $int_if } proto igmp allow-opts
##web server##
pass in quick on $ext_if proto { tcp } from any to any port { http, https } flags S/SA rdr-to $wwwserver
pass in on $int_if proto tcp from $int_net to $ext_if port { http, https } \
rdr-to $wwwserver
pass out on $int_if proto tcp to $wwwserver port { http, https } \
received-on $int_if nat-to $int_if
##openvpn-ubuntu##
#openvpn#
pass in quick on $ext_if proto { tcp, udp } from any to any port { 1194 } flags S/SA rdr-to $openvpn
pass in on $int_if proto { tcp, udp } from $int_net to $ext_if port { 1194 } \
rdr-to $openvpn
pass out on $int_if proto { tcp, udp } to $openvpn port { 1194 } \
received-on $int_if nat-to $int_if
#ssh#
pass in quick on $ext_if proto { tcp } from any to any port { 2301 } flags S/SA rdr-to $openvpn
##windows Server2012##
#plex#
pass in quick on $ext_if proto { tcp, udp } from any to any port { 32400 } flags S/SA rdr-to $windows
##Microsoft VPN
#PPTP#
pass in log quick on $ext_if proto { tcp, udp } from any to ($ext_if) port 1723 \
rdr-to $windows port 1723
#L2TP#
pass in log quick on $ext_if proto { tcp, udp } from any to ($ext_if) port 1701 \
rdr-to $windows port 1701
pass in log quick on $ext_if proto { tcp, udp } from any to ($ext_if) port 4500 \
rdr-to $windows port 4500
pass in log quick on $ext_if proto { tcp, udp } from any to ($ext_if) port 500 \
rdr-to $windows port 500