Your pass rule for the web server is screwed up, so it won't match.
The rule after it matches and should permit it to pass.
On Feb 3, 2008, at 10:31 PM, Bales, Tracy wrote:
# macros
ext_if="dc0"
int_if="dc1"
web_server="192.168.0.4"
# scrub
scrub in
# nat
nat on $ext_if from !($ext_if) to any -> ($ext_if:0)
# redirection
rdr on $ext_if proto tcp from any to any port 80 -> $web_server
This is slightly wrong, although it may not throw an error.
rdr on $ext_if proto tcp from any to ($ext_if) port 80 -> $web_server
port 80
# filter rules
block in
pass out keep state
antispoof for { lo $int_if }
## take care of lo traffic
pass quick on lo all
## block inet6 traffic
block in quick inet6
## block broadcast noise
block in quick on $ext_if from any to 255.255.255.255
## take care of VPN
pass in quick proto gre all
pass out quick proto gre all
## pass out all UDP connections and keep state
pass out on $ext_if proto udp from ($ext_if) to any keep state
## pass out all ICMP connections and keep state
pass out on $ext_if inet proto icmp from ($ext_if) to any keep state
## pass SSH traffic to firewall
pass in quick on $ext_if inet proto tcp from any to ($ext_if) port 22
flags S/SA keep state
## pass web traffic to web_server
pass in on $ext_if inet proto tcp from any to $web_server port 80
flags
S/SA synproxy state
First, that would be to the external IP address of your firewall. This
may work better for you:
pass in quick on $ext_if inet proto tcp from any to ($ext_if) port 80
synproxy state
## pass everything else
pass in quick on $int_if
This should let it work as well, pf does a "last match" lookup. So,
"pass in quick" is pointless here, and it also means your previous
rule won't match, ever.
Minor changes, overall. let me know if these work.
