|
OpenBSD Security Functionally paranoid! |
|
Thread Tools | Display Modes |
|
|||
Redirect Internal Network to Internal Website
Hello all,
I am trying to figure out how I can have PF redirect my internal addresses to my internal web server...etc rather than have internal users access the internal resources from the internet. Example: Internal user tries to access my website. http://*url*.org or Internal user tried to access web service. https://*url*.orgort#/path/ I have tried adding redirect rules for my internal interface but they do not seem to be working. Code:
rdr on $int_if inet proto tcp from any to *myurl* port 80 -> *webserver* port 80 Does anyone know how this can be done? Thanks! |
|
|||
pf is a packet filter, it is not aware of high level protocols.. what you want would require special configuration for a combination of services.
As for domain names in pf, unfortunately that would require changing certain elements of the rc script. Please post in more detail what you're trying to achieve. |
|
||||
PF can use domain resolution, but only at the time the rules are being loaded. If the IP address changes, the rules must be reloaded to obtain changed addresses. This also means that your DNS server, if used for resolution, must be available during boot. If this is not possible, you would want to place all names to be resolved in the PF server's hosts(5) file, and use "lookup file bind" in resolv.conf(5).
If you have a DNS server on the same platform -- i.e.: you have "nameserver 127.0.0.1" in resolv.conf(5) -- you need to be aware that PF rules are loaded by rc(8) before named(8) is started by rc(8). Therefore, you would require the same hosts(5) lookup for resolution. Last edited by jggimi; 9th February 2009 at 06:43 PM. Reason: clarity |
|
|||
BSDfan666
I am trying to have PF redirect outgoing requests (inside my LAN) that are pointing to my domain name/DNS so they do not first travel out of my network to the internet and than back in again. So instead of: user wants to visit my locally hosted website, types URL, browser forwards query to DNS...etc and than is redirected out into the internet to access "domain name" which happens to just point back to my own network. (this fails and is a waste of bandwidth) I would like instead of going to the internet to access my internal website that my internal PF firewall will simply redirect anything to URL port 80 to my internal web server. Thus no more wasted bandwidth and hopefully will actually work. jggimi Hmmm its unfortunate that PF will not "lookup" the IP on-the-fly. This defeats the full purpose of putting DNS as apposed to IP. (for me) Would you be able to show a sample code for PF that would work for redirection using DNS Name (I will have to just reload my config if my IP changes.) The firewall is acting as a middle-man type thing. So it has internal and external interfaces. Internal would be connecting to the internal network and external would be connecting to the exterior portion of my network. Hope this helps clarify things. Thanks for all your help! |
|
||||
Quote:
Quote:
Quote:
In your first post, you said of your rdr rules: Quote:
Last edited by jggimi; 9th February 2009 at 08:09 PM. Reason: clarity |
|
|||
Hello again,
Thanks for the info. With DNS I know I can manually enter the info there. However my issue is I have one domain name with multiple servers (IPs). I'd rather not have to do server1.domainname, server2.domainname...etc (these won't exist outside) as well I would prefer to filter based on port used. Yes the rules do go through. I have not had a chance to test with pfctl -s yet. Thanks for your help! |
|
|||
I took a look with pfctl -sn and I was able to see the rdr rules with the domain names translated into ip addresses.
I'm not sure what else I should check. |
|
||||
If you need to, you can do further confirmation. On your OpenBSD system, you can use tcpdump(8) to watch packets as they move in and out, and, if you were to set your rules to log traffic, you could also use tcpdump(8) with pflogd(8) and pflog(4). Your destination webservers may have tcpdump(8) or similar tools available.
The better performing solution would be to use split DNS; if you set up an "internal zone" DNS server, then you will not need to re-route all packets destined for internal addresses through your firewall, as this solution you're stuck on will do. |
|
|||
Solutions for this issue are discussed in http://openbsd.org/faq/pf/rdr.html#reflect
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
Thanks for the link J65nko I suppose where it talks about RDR is why my RDR rules do not work.
I will play around and see if I can't get this going. Thanks! |
|
|||
Hi jggimi,
Yes thank you also for your input. I am not all that proficient with DNS and my DNS is not kept on BSD so I'm not sure how, if possible, it would be doable on Windows. |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Routing internal requests to external IPs | jdude | FreeBSD General | 1 | 9th July 2009 07:25 AM |
Problem pinging internal nic | JustDoIt | OpenBSD General | 16 | 19th August 2008 08:16 PM |
fetchmail: POP3< -ERR internal server error | graudeejs | FreeBSD General | 3 | 19th July 2008 02:02 PM |
NIC with internal cable; how to remove? | TerryP | Off-Topic | 9 | 14th July 2008 06:33 AM |
2 external NIC + 1 internal NIC | AlexV | FreeBSD General | 7 | 4th June 2008 08:18 AM |