On 06/19/2009 02:05:36 AM, giuliano wrote:
Hello,
I’m new to pf, so maybe the question is silly, but I’ve looked around
and can’t find a clear answer (maybe I’m looking for the wrong
terms…).
From pf.conf(5)
rdr-rule = [ "no" ] "rdr" [ "pass" [ "log" [ "(" logopts
")" ] ] ]
[ "on" ifspec ] [ af ]
[ protospec ] hosts [ "tag" string ] [ "tagged"
string ]
[ "->" ( redirhost | "{" redirhost-list "}" )
[ portspec ] [ pooltype ] ]
hosts = "all" |
"from" ( "any" | "no-route" | "urpf-failed" |
"self" | host |
"{" host-list "}" | "route" string ) [ port ] [
os ]
"to" ( "any" | "no-route" | "self" | host |
"{" host-list "}" | "route" string ) [ port ]
host = [ "!" ] ( address [ "/" mask-bits ] | "<" string
">" )
FYI, when the traffic passes through the LAN it does not sound much
like a DMZ.
Can I do the same with pf without having one rdr rule for every DMZ’s
host ?
Yes, if all the DMZ hosts use the same ports.
Do I have to setup an alias on the LAN connected interface for every
IP on the networks 10.10.1-4.0/24 ?
Yes, unless the DMZ hosts all uses different pots.
Is there a better way to have a similar setup ?
Setup a VPN and route traffic normally? Connect all the
networks to the gateway and use public IPs on the DMZ boxes?
Karl <k...@meme.com>
Free Software: "You don't pay back, you pay forward."
-- Robert A. Heinlein
