Linux Server

[mfaridi]

I have Linux Server and I want make it secure with PF , Linux is on one machine and OpenBSD and PF is on another machine in one network , Linux server and OpenBSD has public IP .
How I config PF , all request for linux server pass from PF ?
I want all request first send to PF and OpenBSD and after that request check or fix or block and after that go to Linux Server ?
I trust PF than IP Tables and think PF is powerful than IP Tables .

[jggimi]

In order to have PF protect your Linux server, you must route its traffic through the OpenBSD server. The Linux server must not be directly connected to the Internet.

{Internet} - [OpenBSD] - [Linux]

There are two ways to route traffic to the Linux server:

1. They share the OpenBSD server's IP address. TCP/UDP traffic can be redirected by port number, also called Port Forwarding. PF's rdr-to is used. See the Traffic Redirection chapter of the PF User's Guide.

2. The OpenBSD server has multiple IP addresses on the public-facing NIC, and all traffic for one address is redirected to the Linux server. This is done with Bidirectional Mapping (also called bidirectional NAT, or "binat"). PF's binat-to is used. See the NAT chapter of the PF User's Guide

[mfaridi]

Thanks,
For me speed is important too , which way is better ?

[jggimi]

The speed is going to be very similar; packet redirection and Bidirectional NAT have similar paths through the OpenBSD kernel.

You must choose Bidirectional Mapping:

• if you need to route protocols other than TCP or UDP
• If both the OpenBSD and Linux machines must listen to the same TCP or UDP port numbers

You may want to use Bidirectional Mapping if you wish to have the Linux server retain the unique IP address as a form of identity.

You may want to use Redirection if you do not have a requirement for Bidirectional Mapping and you wish to save money by using fewer Internet-facing IP addresses.