> Do the machines on the inside of the firewall have private
> addresses?
Yes.
> Perhaps a transparent firewall will work if the internal
> machines also have public addresses.
I'd love to be able to do this! :) However there are some unique
requirements this network brings which make public IP consumption
unworkable.
> Can you could make use of the filter directive "route-to" to
> route packets to a different network?
>
> nat on $ExtIf from !($ExtIf) to any -> ($ExtIf:0)
>
> rdr on $ExtIf from any to ($ExtIf) port www -> 10.10.10.100 \
> port www
>
> pass in on $IntIf route-to { ($ExtIf_1 $ExtGw_1) } proto tcp \
> from $IntNet to any port www
As I understand it, I don't think this will work for me as it
"breaks" the advantages of running a dynamic routing protocol to
select the nearest-exit, but I'll need to think a little more on
this.
I'm also wondering if there's a creative way to use tags...
> It also sounds like you could make use of anchors in pf. With
> an anchor you can add remove nat, rdr or filter rules on the
> fly.
Ah! Yes indeed. Great idea, and could be quite handy. Elegant
too. But I'll certainly need to study performance
characteristics of using anchors during a heavy load of
table-management operations -- perhaps 10's of operations per
second on a table of 500,000 entries/mappings. (operations, like
inserts or deletes)
> OpenBSD Pf Firewall "how to" ( pf.conf )
> http://calomel.org/pf_config.html
Fantastic site, btw! I've already bookmarked it. :)
-Adam
