i finally convinced my boss to let me try openbsd in production. it's
meant to be a bastion/gateway between our corporate LAN and an isolated
subnet for a new project.
my problem is the new rdr syntax. i need to forward port 80 from the
corporate net into the isolated LAN so that we can access the
browser-based management GUI for the equallogic SAN gear there. i've
done this at home for years with the old pf syntax, but i can't get it
going at work with 4.7.
i have net.inet.ip.forwarding=1 set in sysctl.conf. my pf.conf follows:
################################################################################
# /etc/pf.conf
# openbsd 4.7 / uswal1-bastion01
################################################################################
# lists & macros
# interface definitions
ext_if="em0"
int_if="em1"
# the equallogic administrative "group" ip address for group "dsan01"
dsan01_grp_ip="10.4.25.20"
################################################################################
# tables
################################################################################
# options
# don't touch loopback traffic
set skip on lo
# let's be a good network citizen (return ICMP)
set block-policy return
# enable logging on the external interface
set loginterface fxp0
################################################################################
# normalization
################################################################################
# queueing
################################################################################
# match rules
##############################################################################f#
# filtering (last match unless "quick" is used)
###########################
# rules for $ext_if inbound
# block all outside traffic by default
block in log (all) on $ext_if all
# allow icmp (ping, pmtud)
pass in on $ext_if inet proto icmp all
# allow ssh
pass in log (all) on $ext_if inet proto tcp from any to $ext_if port 22
# allow http and forward it to the equallogic group ip address
pass in log (all) on $ext_if inet proto tcp from any to $ext_if port 80
rdr-to $dsan01_grp_ip
############################
# rules for $ext_if outbound
# allow replies to traffic originating inside
pass out log (all) on $ext_if all keep state
can anybody see what i'm missing? i'd love to score some points
for openbsd at my job (and i'll fall back to 4.6 if i have to) but i'd
really love to get this working with 4.7. any insight would be much
appreciated.
thanks,
peter gilman
