|
|||
Two PF questions
I have recently started to build a firewall for my home network using OpenBSD 4.6 and PF. However PF is completely new to me. I have read through to PF users guide and I'm still having trouble figuring a few things out. I have a network architecture as follows:
[ server server server ] ------- [Switch] -------- [OpenBSD] -------- [Internet] I have configured the OpenBSD box to simply act as a transparent bridge. I have two network cards, fxp0 is the external card and vr0 is my internal card. Basically what I would like to do is redirect incoming traffic from the internet to different servers. From what I have read the rdr macro doesn't seem to take an inbound or outbound parameter. So what rule would I use to forward all incoming traffic destined for port 80 to one of the servers? Also I would like to be able to log traffic intended for each server in a separate log file. I have already created three pflog interfaces but I don't quite understand how the pflogd works. Am I able to use the single daemon to log everything to separate files or do I need to run multiple instances of the daemon to achieve this? |
|
|||
Have you seen the redirection examples in http://www.openbsd.dk/faq/pf/rdr.html ?
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
I have read through the redirection stuff in the user guide but it doesn't seem to work as intended. I have something like:
rdr on $int_if proto tcp from any to any port 80 -> $webserver However my internal and external interfaces are setup as a bridge and neither has been assigned an ip address. So I have already allowed all inbound and outbound traffic on the external interface and I'm doing all my filtering on the internal interface. Any idea what could be wrong here? |
|
||||
Also, in a {server server server} scenario, you may hit the limits of PF's layer 3 and 4 only facilities, especially in a bridged mode.
If {server server server} is {web[80] email[25] ntp[123]}, then you're likely ok. If, however, it's one outside IP and {server server server} is {web-A[80] and web-B[80] and web-C[80]}, then you'll likely need to look at and use openbsd's relayd(8) in combination with PF. /S
__________________
Never argue with an idiot. They will bring you down to their level and beat you with experience. Last edited by s2scott; 9th November 2009 at 08:06 AM. |
Tags |
pf rdr, pf tags |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Some Questions ?? | ultranothing | OpenBSD Security | 6 | 4th September 2009 04:59 PM |
Silly questions about Mac OS X? | tutosun | Other BSD and UNIX/UNIX-like | 12 | 31st December 2008 03:45 PM |
ZFS thoughts and questions | mtx | FreeBSD General | 3 | 28th November 2008 07:27 AM |
FTP ruleset questions | hitete | OpenBSD Security | 2 | 25th November 2008 05:30 PM |
A few questions on OpenBSD? | php111 | OpenBSD General | 24 | 1st November 2008 09:18 AM |