Re: Web Traffic forwarding, PF and NC
Stefan Kell wrote: Hello, Original-Nachricht Datum: Sat, 23 Feb 2008 21:29:06 + Von: "elaconta.com Webmaster" <[EMAIL PROTECTED]> An: Stefan Kell <[EMAIL PROTECTED]> CC: misc@openbsd.org Betreff: Re: Web Traffic forwarding, PF and NC Stefan Kell wrote: Hello, On Sat, 23 Feb 2008, elaconta.com Webmaster wrote: Stefan Kell wrote: Hello, On Sat, 23 Feb 2008, elaconta.com Webmaster wrote: Greetings ...snip... rdr on $ext_if proto tcp from any to 192.168.1.121 port 80 -> 127.0.0.1 port 5000 ...snip I'm running OpenBSD 3.9 (i386) on both machines. why not rdr directly to your internal webserver instead of 127.0.0.1? OpenBSD 3.9 is quite old but rdr should work quite well. I use this since OpenBSD 3.4 Regards Stefan Kell Hi I've tried the following configuration but it yields no effect, i.e. when someone tries to view a web page from the outside the web page isn't served. Maybe something is wrong with the config: #--- ext_if="rl1" rdr on $ext_if proto tcp from any to 192.168.1.121 port 80 -> 192.168.1.126 port 80 pass out on $ext_if inet all keep state pass in on $ext_if inet all keep state #--- is the OpenBSD machine acting as a router? Or ist the webserver directly connected to the cable modem? Then it cannot work as Stuart Henderson has explained. My setup would use the machine as a router and different subnets and also nat on the external interface. Regards Stefan Kell The webserver (192.168.1.126) is directly connected to the cable modem, as is the 192.168.1.121 server. What service(s) would i need to run on 192.168.1.121 to make it useable as a gateway (router) to 192.168.1.126? Would just: # *sysctl net.inet.ip.forwarding=1* enable it as a router? I would also need some other service, right? Sorry for any noobness. You need two network interfaces on your OpenBSD machine, different subnets physically: one for cable modem and external interface on OpenBSD, one for your internal network. sysctl is necessary as you have written and you need a nat rule in pf.conf. There are a lot of instructions flowing around in the internet which show you how to do it. Regards Stefan Kell Okay, i'm going to add a NIC to 192.168.1.121 (i've got some laying around) and do it that way then. Thanks!
Re: Web Traffic forwarding, PF and NC
Stefan Kell wrote: Hello, On Sat, 23 Feb 2008, elaconta.com Webmaster wrote: Stefan Kell wrote: Hello, On Sat, 23 Feb 2008, elaconta.com Webmaster wrote: Greetings ...snip... rdr on $ext_if proto tcp from any to 192.168.1.121 port 80 -> 127.0.0.1 port 5000 ...snip I'm running OpenBSD 3.9 (i386) on both machines. why not rdr directly to your internal webserver instead of 127.0.0.1? OpenBSD 3.9 is quite old but rdr should work quite well. I use this since OpenBSD 3.4 Regards Stefan Kell Hi I've tried the following configuration but it yields no effect, i.e. when someone tries to view a web page from the outside the web page isn't served. Maybe something is wrong with the config: #--- ext_if="rl1" rdr on $ext_if proto tcp from any to 192.168.1.121 port 80 -> 192.168.1.126 port 80 pass out on $ext_if inet all keep state pass in on $ext_if inet all keep state #--- is the OpenBSD machine acting as a router? Or ist the webserver directly connected to the cable modem? Then it cannot work as Stuart Henderson has explained. My setup would use the machine as a router and different subnets and also nat on the external interface. Regards Stefan Kell The webserver (192.168.1.126) is directly connected to the cable modem, as is the 192.168.1.121 server. What service(s) would i need to run on 192.168.1.121 to make it useable as a gateway (router) to 192.168.1.126? Would just: # *sysctl net.inet.ip.forwarding=1* enable it as a router? I would also need some other service, right? Sorry for any noobness.
Re: Web Traffic forwarding, PF and NC
Stefan Kell wrote: Hello, On Sat, 23 Feb 2008, elaconta.com Webmaster wrote: Greetings ...snip... rdr on $ext_if proto tcp from any to 192.168.1.121 port 80 -> 127.0.0.1 port 5000 ...snip I'm running OpenBSD 3.9 (i386) on both machines. why not rdr directly to your internal webserver instead of 127.0.0.1? OpenBSD 3.9 is quite old but rdr should work quite well. I use this since OpenBSD 3.4 Regards Stefan Kell Hi I've tried the following configuration but it yields no effect, i.e. when someone tries to view a web page from the outside the web page isn't served. Maybe something is wrong with the config: #--- ext_if="rl1" rdr on $ext_if proto tcp from any to 192.168.1.121 port 80 -> 192.168.1.126 port 80 pass out on $ext_if inet all keep state pass in on $ext_if inet all keep state #---
Web Traffic forwarding, PF and NC
Greetings I've got a cable modem that forwards ports 80,110,25 to an internal host (192.168.1.121) Email (POP and SMTP) is hosted on 192.168.1.121, but recent changes have forced me to move the webserver to another machine (192.168.1.126), which means i have to somehow forward port 80 traffic from 192.168.1.121 to 192.168.1.126, because the crappy cable modem doesn't let me forward different ports to different machines. No problem i think: - Both 192.168.1.121 and 192.168.1.126 have 192.168.1.120 (the cable modem) defined as their gateway I've used the following config on 192.168.1.121 /etc/pf.conf: # - ext_if="rl1" rdr on $ext_if proto tcp from any to 192.168.1.121 port 80 -> 127.0.0.1 port 5000 # Allow all outgoing traffic pass out on $ext_if inet all keep state # Allow all incoming traffic pass in on $ext_if inet all keep state # - and i've added the following in /etc/inetd.conf on 192.168.1.121: 127.0.0.1:5000 stream tcp nowait nobody /usr/bin/nc nc -w 20 192.168.1.126 80 To create a port 80 proxy to handle web traffic to and from the 192.168.1.126 webserver. and this works. The webserver on 192.168.1.126 serves web traffic to the Internet. Now my only problem is, web traffic arrives on 192.168.1.126 as having originated from 192.168.1.121, and i need it to arrive on 192.168.1.126 as if it has originated from the outside address (Internet), i.e. preserve the outside source IP address for correct web logging purposes. As it is, web traffic that arrives on 192.168.1.126 is logged with 192.168.1.121 as the source IP address. Is there any PF rule or NC configuration to preserve the outside source IP address as traffic is forwarded from 192.168.1.121 to 192.168.1.126? I'm running OpenBSD 3.9 (i386) on both machines. I apologise if this is some "noob" question with an obvious answer.
Re: PF redirect to another IP on LAN
Kian Mohageri escreveu: >> Wouldn't this do the trick? >> >> rdr on rl1 proto tcp from any to 192.168.1.121 port 80 -> 192.168.1.103 >> >> "Redirect any port 80 traffic originally meant for me to 192.168.1.103" >> > > > > Yes, but why are you asking if you already have the answer? As stated in > the man page, your traffic will also need to pass filter evaluation AFTER > the redirect rule is processed. Can't you just test that line? > > Kian > > > > If i knew that was the correct answer, of course i wouldn't have asked :) As for passing the filter evaluation, i'll disable the PF filters and test just this redirecting rule then. Thanks. - Elaconta.com webmaster -
Re: PF redirect to another IP on LAN
Peter Blair escreveu: > man pf.conf > > Secondly, it's been discussed numerous times on the list that bridges > have their place (I use them in production environments at our data > centre) but you'll find filtering a bridge much more difficult than > filtering a NAT. > > On 7/29/06, elaconta.com Webmaster <[EMAIL PROTECTED]> wrote: >> Hi >> >> I've just successfully configured an OpenBSD bridge with two NICs to >> separate and filter traffic between our private LAN (192.168.1.0/24) and >> our router (192.168.1.120). >> I've given an IP address to one of the NICs (192.168.1.121) on the >> bridge and am running a Bind caching nameserver on it. Now, the next >> thing we'd need to do would be to redirect any traffic that comes >> throught the bridge destined to IP address 192.168.1.121 port 80 to >> another server in the LAN (192.168.1.103 port 80). >> From what i understand, this entails using PF and the rdr statement. Any >> ideas on how to do this successfully? Thanks. >> >> -- >> Elaconta.com webmaster >> -- >> >> > > Wouldn't this do the trick? rdr on rl1 proto tcp from any to 192.168.1.121 port 80 -> 192.168.1.103 This bridge has IP address 192.168.1.121 configured in one of the NIC's, so isn't the above like saying: "Redirect any port 80 traffic originally meant for me to 192.168.1.103" Or is there something i'm not considering here? -- Elaconta.com webmaster --
PF redirect to another IP on LAN
Hi I've just successfully configured an OpenBSD bridge with two NICs to separate and filter traffic between our private LAN (192.168.1.0/24) and our router (192.168.1.120). I've given an IP address to one of the NICs (192.168.1.121) on the bridge and am running a Bind caching nameserver on it. Now, the next thing we'd need to do would be to redirect any traffic that comes throught the bridge destined to IP address 192.168.1.121 port 80 to another server in the LAN (192.168.1.103 port 80). >From what i understand, this entails using PF and the rdr statement. Any ideas on how to do this successfully? Thanks. -- Elaconta.com webmaster --
Re: OpenBSD Gateway to replace old Linux gateway
Dag Richards escreveu:
> Webmaster Elaconta wrote:
>> I'm not looking forward to addressing the router to a different subnet
>> (and i know that would solve the problem) because our Internet-facing
>> servers are connected directly to that router in DMZ fashion (the router
>> forwards ports to them). The firewall is also connected directly to that
>> router and the LAN is in turn connected to the firewall. Changing the
>> subnet on the router would mean we would have to reconfigure a number of
>> Internet services which sort of depend on the 192.168.1.x network
>> configuration.
>>
>> Now, if you know how to do what I want with OpenBSD, i would love to
>> hear
>> it.
>
> You can configure OBSD to be a transparent bridge, as people here have
> told you. Setting up bridging is pretty simple, I did it in an
> afternoon for a test env. Having a system conf-ed to bridge does not
> preclude an IP or running services. Read the bridge and brconfig man
> pages, that will get you going you can find the man pages
> http://www.openbsd.org/cgi-bin/man.cgi if you do not have a running
> system.
>
>
> After listening to the solution, i can then judge for myself if the
>> solution works. Even if we maintain the "broken" architecture for a
>> while - i'm not even sure if it is that broken, since it worked for
>> years without a squeak - at least we'll have a secure OS running it.
>
>
> A better way to config may be to run your fw as out_if= 192.168.1.121
> in_if=192.168.2.1
>
> Nat your pcs behind 192.168.1.121
> change the default gw of your pcs to be 192.168.2.1 and continue life
> fairly close to what you consider to be normal.
>
> If its not something you can get to perhaps you could hire someone to
> set it up, Jason Dixon monitors this list he consults and seems to be
> pretty sharp.
>
> Trust them however when they say your configuration is broken.
> People with heart murmurs pump blood for a long while, but are often
> eventually betrayed by their hearts.
>
>
> working( today && yesterday ) != { working( tomorrow ) || good_idea(1) };
>
>
>>
>> --
>> Elaconta.com webmaster
>> --
>>
>> Em 7/27/2006, "Nick Holland" <[EMAIL PROTECTED]> escreveu:
>>
>>> elaconta.com Webmaster wrote:
>>>> Howdy
>>>>
>>>> We have here an old (Mandrake Linux 8 - yeah i know...) PC with two
>>>> NICs
>>>> which serves as a firewall for our LAN and runs a Bind caching
>>>> nameserver.
>>>> Although the machine is getting old, it still works well. Thing is,
>>>> i'm
>>>> having a hard time trying to reproduce it, that is, getting another PC
>>>> to do exactly the same thing this PC is doing. It was configured by a
>>>> guy that left the company, so i can't simply ask him how he configured
>>>> it configured.
>>>> It's a precautionary measure, if the machine breaks down we need
>>>> another
>>>> one to go in its place.
>>> Yes You Do.
>>>
>>>> So while am at it i would love to replace the crusty old thing with a
>>>> new one running OpenBSD.
>>>> The networking scheme is:
>>>>
>>>> Router (192.168.1.120) <-> (192.168.1.121) Firewall PC (192.168.1.122)
>>>> <-> (192.168.1.0/24) LAN
>>>>
>>>> Now, thing is, the Linux firewall has two NICs:
>>>>
>>>> NIC 1: 192.168.1.121
>>>> NIC 2: 192.168.1.122
>>>>
>>>> The two NICs on the Linux box are configured with 192.168.1.121 and
>>>> 192.168.1.122, both interfaces on the same subnet. 192.168.1.121
>>>> acesses
>>>> the company router (192.168.1.120) and 192.168.1.122 acesses the
>>>> company
>>>> LAN (192.168.1.0/24)
>>>> From what i've googled, this shouldn't even be possible, everything is
>>>> on the same subnet. Regardless, it works great, and if i went and
>>>> got an
>>>> OpenBSD rig to replace the old Linux rig, it would have to retain this
>>>> networking scheme, we can't afford to reconfigure the entire network
>>>> just for switching our firewall.
>>> NO, you can't afford to avoid switching your firewall because of a
>>> misconfigured network.
>>>
>>> Your network is broke NOW. If that old box dies or gets rooted (if it
>>> hasn't been already), you will be l
Re: OpenBSD Gateway to replace old Linux gateway
Matt Radtke escreveu: > Hello there > > >>> Router (192.168.1.120) <-> (192.168.1.121) >>> >> Firewall PC (192.168.1.122) >> >>> <-> (192.168.1.0/24) LAN >>> >>> Now, thing is, the Linux firewall has two NICs: >>> >>> NIC 1: 192.168.1.121 >>> NIC 2: 192.168.1.122 >>> >>> The two NICs on the Linux box are configured with >>> >> 192.168.1.121 and >> >>> 192.168.1.122, both interfaces on the same subnet. >>> >> 192.168.1.121 acesses >> >>> the company router (192.168.1.120) and >>> >> 192.168.1.122 acesses the company >> >>> LAN (192.168.1.0/24) >>> > > Your Linux box is very like running as a real bridge > (set eth0 and eth1 as a brige) or a fake brige > (running proxy-arp). You could confirm that--I'm > guessing every machine in your LAN has a default gw of > .120, your router? And your router believes that it > is directly connected to your LAN? If not, then > everyone else is right--your network is screwed and > you're lucky it's lasted this long. > > Every machine in our LAN has a default gateway of 192.168.1.122 (not 120) The firewall machine can connect both to the router and to the internal network. I can SSH to the firewall box from any machine in the 192.168.1.0 LAN and of course the firewall box accesses the net through the 192.168.1.120 router. >>> I known we could use a network bridge, but we need >>> >> the caching >> >>> nameserver functionality. >>> > > Setting up a machine to brige does not exclude it from > running as a nameserver, if you must still do this > [0]. > > Off the top of my head, create a bridge with your > $inif and $outif on your replacement machine. Inif > doesn't need to have an IP on it. Bind your > nameserver to outif. Setup your filter rules as you > need them. > > I forgot to mention something - this Linux box is also secondary DNS for some Web domains. Right now, the router forwards DNS packets from outside to 192.168.1.121 (the NIC on firewall box which is connected to the router), and the Linux box serves DNS requests to the outside through the eth0 interface. I'm guessing a bridge can serve DNS to clients on the LAN if we give it an IP (i'm not sure how to do this though), but can it also serve DNS to Internet clients (outside the LAN)? Anyway, i guess a bridge wouldn't be the worst way to go, even if i would have to reconfigure 50 workstations across 3 departments (oh boy) to use 192.168.1.120 instead of 192.168.1.122. I could install a DNS server on IP 192.168.1.121 to take care of DNS. Anyway, i have a small doubt about the bridge. I'm guessing it would enable transparent access from the LAN to 192.168.1.120 (the router) while allowing us to maintain our filtering rules, that is, the workstations would need to have 192.168.1.120 set as gateway. I hear bridges are not so good when it comes to handling FTP and IRC as a NAT'ing firewall. Is this true, or are there workarounds for this? > -Matt > > ps. Just because something is a bridge doesn't mean > that it can't have IP addresses. > > [0] List, feel free to destroy me if my setup wouldn't > work. 8^) > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com
OpenBSD Gateway to replace old Linux gateway
Howdy We have here an old (Mandrake Linux 8 - yeah i know...) PC with two NICs which serves as a firewall for our LAN and runs a Bind caching nameserver. Although the machine is getting old, it still works well. Thing is, i'm having a hard time trying to reproduce it, that is, getting another PC to do exactly the same thing this PC is doing. It was configured by a guy that left the company, so i can't simply ask him how he configured it configured. It's a precautionary measure, if the machine breaks down we need another one to go in its place. So while am at it i would love to replace the crusty old thing with a new one running OpenBSD. The networking scheme is: Router (192.168.1.120) <-> (192.168.1.121) Firewall PC (192.168.1.122) <-> (192.168.1.0/24) LAN Now, thing is, the Linux firewall has two NICs: NIC 1: 192.168.1.121 NIC 2: 192.168.1.122 The two NICs on the Linux box are configured with 192.168.1.121 and 192.168.1.122, both interfaces on the same subnet. 192.168.1.121 acesses the company router (192.168.1.120) and 192.168.1.122 acesses the company LAN (192.168.1.0/24) >From what i've googled, this shouldn't even be possible, everything is on the same subnet. Regardless, it works great, and if i went and got an OpenBSD rig to replace the old Linux rig, it would have to retain this networking scheme, we can't afford to reconfigure the entire network just for switching our firewall. I known we could use a network bridge, but we need the caching nameserver functionality. I'm an all round Unix guy, but i'm a bit green on the routing departament. Can an OpenBSD box be configured the same way the Linux box is so it can be a drop-in replacement for the Linux box? I can of course depict in further detail the configuration of the Linux box (netstat -r to show the routes, ifconfig or whatever). - Elaconta.com Webmaster -
