Re: PF rdr question
On Wed, Sep 23, 2009 at 5:59 PM, Matthew Young myoung24...@gmail.com wrote: Hello, Ive been trying to do redirection , this time with a very minimal procedure as follows. # cat /etc/pf.conf t_externa = re0 server = 208.99.249.95 rdr on $t_externa proto tcp from any to any port 80 - $server # cat /etc/sysctl.conf net.inet.ip.forwarding=1 net.inet6.ip6.forwarding=1 This is the state log: STATES: all tcp 208.99.249.95:80 (77.46.79.232:80) - 180.10.98.2:60011 CLOSED:SYN_SENT 180.10.98.2 is my IP, 77.46.79.232 is the box with pf.. and 208 is the box iam trying to redirect to. Why would this be failing? Thank you --Matt Hello, From http://www.openbsd.org/faq/pf/rdr.html : NOTE: Translated packets must still pass through the filter engine and will be blocked or passed based on the filter rules that have been defined. Regards, Ari Constancio
Re: RDR question
Monah Baki schrieb: rdr on $ext_if proto tcp from 192.168.2.0/24 to any port 80 - \ 127.0.0.1 port 5000 You changed the 'to'-part from 'to $ext_if' to 'to any', yes, but you also modified the 'rdr on' device to $ext_if. Why not leave it $int_if as before? Should work here?
RDR question
Hi all, I'm running OpenBSD on a soekris box 4.3 current. sis0=192.168.3.32 sis1=192.168.2.1 I have a proxy server IP address 192.168.3.106 I want a rule to have all users on the .2 network to go thru the proxy. Tried the following in /etc/inetd.conf 127.0.0.1:5000 stream tcp nowait nobody /usr/bin/nc nc -w \ 20 192.168.3.106 8080 rdr on $int_if proto tcp from $int_net to $ext_if port 80 - \ 127.0.0.1 port 5000 I can access websites but thing is the proxy server is running dans guardian on 8080 and I do not see a denied page when I access unwanted sites. Thanks BSD Networking, Microsoft Notworking
Re: RDR question
Monah Baki schrieb: rdr on $int_if proto tcp from $int_net to $ext_if port 80 - \ 127.0.0.1 port 5000 unless you host the unwanted sites on $ext_if, you may try to any instead and let us know?
Re: RDR question
Hi, It did not work, I get a blank page on all URL's. Here's my pf.conf real basic. ext_if=sis0 int_if=sis1 #table spamd-white persist set skip on lo #scrub in nat-anchor ftp-proxy/* rdr-anchor ftp-proxy/* #rdr-anchor relayd/* nat on $ext_if from $int_if:network to any - $ext_if # rdr pass on $ext_if proto tcp to port 80 - 192.168.3.106 port 8080 rdr pass on $int_if proto tcp to port ftp - 127.0.0.1 port 8021 rdr on $ext_if proto tcp from 192.168.2.0/24 to any port 80 - \ 127.0.0.1 port 5000 rdr on $ext_if proto tcp from any to $ext_if - 192.168.3.106 port 8080 #no rdr on $ext_if proto tcp from spamd-white to any port smtp #rdr pass on $ext_if proto tcp from any to any port smtp \ # - 127.0.0.1 port spamd anchor ftp-proxy/* # block all pass out Thanks On Apr 13, 2008, at 1:59 PM, Dorian B|ttner wrote: Monah Baki schrieb: rdr on $int_if proto tcp from $int_net to $ext_if port 80 - \ 127.0.0.1 port 5000 unless you host the unwanted sites on $ext_if, you may try to any instead and let us know? BSD Networking, Microsoft Notworking
Re: rdr question
Hi, Monah Baki schrieb: rdr pass on $ext_if proto tcp to port 8080 - 192.168.3.105 port 8080 rdr pass on x.x.x.x proto tcp to port 8080 - 192.168.3.106 port 8080 From outside my network if I enter in my browser proxy setting x.x.x.x 8080 which is the alias, I get redirected to the proxy 192.168.3.105 not the 106. If I comment rdr pass on $ext_if proto tcp to port 8080 - 192.168.3.105 port 8080 then it works fine, my rdr rule works. Since x.x.x.x also belongs to $ext_if only the first RDR rule is taken... maybe change it like this: rdr pass on $ext_if proto tcp to ($ext_if:0) port 8080 \ - 192.168.3.105 port 8080 rdr pass on $ext_if proto tcp to x.x.x.x port 8080 \ - 192.168.3.106 port 8080 ($ext_if:0) is the main IP of the interface Michael
Re: rdr question
Stuart Henderson scribbled on : --On 27 July 2005 00:27 +0200, GV wrote: In general I would like to have one static IP where more than one domains are registered and for each domain a different internal web server should serve the incoming requests! No, you need some kind of 'reverse-proxy' to do this type of thing (maybe pound, tinyproxy 1.70, or squid in accelerator-mode). It would run on either the PF box or another box that you rdr to. httpd with mod_proxy enabled does this just fine for http; https is problematic... -- Mark C. Prins Spatial Fusion Specialist / Network Specialist SkypeMe@ callto:mark.prins-caris.nl -- _ CARIS 2005 - Mapping A Seamless Society 10th International User Group Conference and Educational Sessions 26-29 September 2005: World Trade Center, Halifax (Nova Scotia) Canada Visit http://www.caris.com/caris2005 or send email enquiries to [EMAIL PROTECTED] for more information. _ CARIS Geographic Informations Sytems BV phone: +31 413 296 010 fax: +31 413 296 012 web: http://www.caris.nl product support: [EMAIL PROTECTED] sales/marketing: [EMAIL PROTECTED] _ This email contains confidential information for the intended recipient. If you are not the intended addressee please, notify us immediately. You should not use, disclose, distribute or copy this communication if received in error. No binding contract will result from this message until such a time as a written contract has been signed on behalf of the company named above. _ This message has been scanned for viruses using McAfee Groupshield. This message may have been modified by the scanner. _
rdr question
Hi list, is it possible to have the following: rdr on $ext_if proto tcp from any to any port 80 - $server re-written as: rdr on $ext_if proto tcp from any to domain.com port 80 - $server where $server an internal web server and domain.com a specific domain name? In general I would like to have one static IP where more than one domains are registered and for each domain a different internal web server should serve the incoming requests! Thanks George
Re: rdr question
--On 27 July 2005 00:27 +0200, GV wrote: is it possible to have the following: rdr on $ext_if proto tcp from any to any port 80 - $server re-written as: rdr on $ext_if proto tcp from any to domain.com port 80 - $server where $server an internal web server and domain.com a specific domain name? In general I would like to have one static IP where more than one domains are registered and for each domain a different internal web server should serve the incoming requests! No, you need some kind of 'reverse-proxy' to do this type of thing (maybe pound, tinyproxy 1.70, or squid in accelerator-mode). It would run on either the PF box or another box that you rdr to.