|
|||
redirect outgoing http
hello, i have installed HAVP with clamAV and AVG on a ubuntu server on my lan. how could i redirect outgoing http traffic from lan to port 8080 on 192.168.1.11(ubuntu server)
i have a openbsd 5.2 dhcp server as my router. thanks Last edited by J65nko; 24th March 2013 at 12:53 AM. Reason: fixed "speling" in title ;) |
|
||||
See the Traffic Redirection chapter of the PF User's Guide.
Your redirection rule might be something like: Code:
pass in on $internal proto tcp from any to any port 80 \ rdr-to 192.168.1.11 port 8080 |
|
|||
pass in quick on $int_if proto tcp from any to any port 80 \
rdr-to 192.168.1.11 port 8080 it did not work, i lost my web connection, but i have also a webserver on my lan. does this cause troubles? ##web server## pass in quick on $ext_if proto { tcp } from any to any port { http, https } flags S/SA rdr-to $wwwserver pass in on $int_if proto tcp from $int_net to $ext_if port { http, https } \ rdr-to $wwwserver pass out on $int_if proto tcp to $wwwserver port { http, https } \ received-on $int_if nat-to $int_if |
|
|||
i have configured openbsd 5.2 as a dhcp server/router. i have one internal network with servers and clients. one of my servers running HAVP (Http Anti Virus Proxy) with ClamAV and AVG as scanners. i want to direct all http traffic to port 8080 on my server running HAVP from my local network. i have also a web server with http/https port directed from my local network.
any suggestions for how to solve this, or could i use dup-to? thanks. p.s! i have also a extra network card i could use to create a own DMZ for the server network if that would be easier. pf.conf: Code:
# Set network interfaces ext_if="em0" #internet int_if="em1" #LAN int_net="192.168.1.0/24" wwwserver = "192.168.1.12" openvpn ="192.168.1.148" windows ="192.168.1.15" # Non-routable IP numbers nonroutable = "{ 192.168.0.0/16, 127.0.0.0/8, 172.16.0.0/12, 10.0.0.0/8, 0.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 204.152.64.0/23, 224.0.0.0/3, 255.255.255.255/32 }" # Skip all loopback traffic set skip on lo match in all scrub (no-df) ##external # DEFAULT IS BLOCK IN FROM INTERNET, PASS ALL ELSE block log all pass out on $ext_if all #nonroutable block in quick on $ext_if from $nonroutable to any block out quick on $ext_if from any to $nonroutable ##ssh-block## table <ssh_block> persist file "/etc/ssh_block" block drop in from <ssh_block> to any ##internal # Allow inbound traffic on internal interface pass on $int_if all # Protect against spoofing antispoof quick for { $int_if, lo0 } ## Nat ## pass out on $ext_if from $int_if:network to any nat-to ($ext_if) #AV scan http traffic #pass in quick on $int_if proto tcp from any to any port 80 \ # rdr-to 192.168.1.11 port 8080 ##iptv #nrk1 #pass in quick on $ext_if inet proto udp from any to any port 1234 rdr-to 192.168.1.14 #pass quick on { $ext_if, $int_if } proto igmp allow-opts ##web server## pass in quick on $ext_if proto { tcp } from any to any port { http, https } flags S/SA rdr-to $wwwserver pass in on $int_if proto tcp from $int_net to $ext_if port { http, https } \ rdr-to $wwwserver pass out on $int_if proto tcp to $wwwserver port { http, https } \ received-on $int_if nat-to $int_if ##openvpn-ubuntu## #openvpn# pass in quick on $ext_if proto { tcp, udp } from any to any port { 1194 } flags S/SA rdr-to $openvpn pass in on $int_if proto { tcp, udp } from $int_net to $ext_if port { 1194 } \ rdr-to $openvpn pass out on $int_if proto { tcp, udp } to $openvpn port { 1194 } \ received-on $int_if nat-to $int_if #ssh# pass in quick on $ext_if proto { tcp } from any to any port { 2301 } flags S/SA rdr-to $openvpn ##windows Server2012## #plex# pass in quick on $ext_if proto { tcp, udp } from any to any port { 32400 } flags S/SA rdr-to $windows ##Microsoft VPN #PPTP# pass in log quick on $ext_if proto { tcp, udp } from any to ($ext_if) port 1723 \ rdr-to $windows port 1723 #L2TP# pass in log quick on $ext_if proto { tcp, udp } from any to ($ext_if) port 1701 \ rdr-to $windows port 1701 pass in log quick on $ext_if proto { tcp, udp } from any to ($ext_if) port 4500 \ rdr-to $windows port 4500 pass in log quick on $ext_if proto { tcp, udp } from any to ($ext_if) port 500 \ rdr-to $windows port 500 |
|
|||
What you want is to use pf to implement a "transparent proxy". You intercept the http traffic and force it, or redirect it to the Ubuntu HAVP box.
https://en.wikipedia.org/wiki/Transp...nsparent_proxy explains some problems of using a transparent proxy. It would be better to tell your local LAN users to configure their browsers to use the Ubuntu HAVP proxy. Then you can simply block all http traffic not originating from the proxy. This has the positive side affect. Now any blocked web traffic is a signal to you as system administrator, that something is wrong with one your LAN clients. BTW I learned this from Nonesuch, a forum member at the now defunct bsdforums.org
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
||||
Quote:
Code:
. . . pass in quick on $int_if proto tcp from any to any port 80 \ rdr-to 192.168.1.11 port 8080 . . . pass in on $int_if proto tcp from $int_net to $ext_if port { http, https } \ rdr-to $wwwserver . . . The names for standard port numbers are defined in /etc/services. The file structure is defined in the services(5) man page.Both of your rules intercept all traffic sourced from your internal LAN destined for web servers reachable on your external network. Instead of letting the traffic pass to the destination requested, they redirect that traffic to local servers. The first rule redirects all traffic to your HAVP server, the second rule redirects the same traffic to your web server. However, PF has a simple way of handling conflicts. The last matching rule wins. The first rule will be ignored, the second rule will apply, and all outbound traffic will be redirected to $wwwserver. I do not understand why are you redirecting all outbound web traffic to your local web server. For example, with this rule set, if a workstation on your local network attempted to reach www.daemonforums.org, those requests would be redirected to your local web server instead. With this rule set, no outbound HTTP/S traffic is currently possible from your internal network.While dup-to can replicate packets, keep in mind that HTTP and HTTPS are sent via TCP. TCP traffic is unicast and includes flow control, error detection and correction. Replicated traffic is likely to cause more problems than it solves, unless $wwwserver is not a web server at all but a passive monitor. |
|
|||
Code:
pass in quick on $int_if proto tcp from any to any port 80 \ rdr-to 192.168.1.11 port 8080 Code:
pass in on $int_if proto tcp from $int_net to $ext_if port { http, https } \ rdr-to $wwwserver pass out on $int_if proto tcp to $wwwserver port { http, https } \ received-on $int_if nat-to $int_if so you say that all my web traffic from local network goes to the web server and from the web server to the internet? then i could just use system proxy on the web server to 192.168.1.11:8080 if it works? |
|
||||
My apologies. I made an error in my analysis. These rules are not the same. "On <interface>" is not the same as "from/to <interface>". Your rule for $wwwserver uses "to $ext_if", which maps to the address(es) assigned to the external interface itself. That rule does not redirect all traffic.
HAVP is an HTTP proxy. It would need to be configured as a transparent proxy in order to accept redirected traffic. |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
http://c0t0d0s0.org/ - closed | vermaden | News | 2 | 26th July 2011 12:41 PM |
Feasibility: "Load Balance Outgoing Traffic" with 2 NICs only | Tramboi | FreeBSD Security | 3 | 29th April 2010 09:13 AM |
Apache HTTP Server 1.3.42 Released | J65nko | News | 1 | 5th February 2010 02:47 AM |
permissions and FTP/HTTP | Yuka | FreeBSD General | 0 | 20th October 2008 10:32 PM |