Re: rdr to another machine and back

To: freebsd-pf@xxxxxxxxxxx
Subject: Re: rdr to another machine and back
From: Max Laier <max@xxxxxxxxxxxxxx>
Date: Wed, 3 Nov 2004 18:45:59 +0100
Delivered-to: freebsd-pf@xxxxxxxxxxx
In-reply-to: <20041027135721.C553C68004@xxxxxxxxxxxxxxxxxxxxxxxxx>
List-archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-id: Technical discussion and general questions about packet filter (pf) <freebsd-pf.freebsd.org>
List-post: <mailto:freebsd-pf@freebsd.org>
List-subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>, <mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
List-unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>, <mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
References: <20041027135721.C553C68004@xxxxxxxxxxxxxxxxxxxxxxxxx>
User-agent: KMail/1.7

Hi Lawrence,

On Wednesday 27 October 2004 15:57, Lawrence Farr wrote:
> I'm trying to work out how to get a gateway machine
> to send all http requests to a separate machine and
> get them back, network looks like this:

[ hmm ... ASCII art killed by mail reader ]

Setup understood.

> So the router has 3 interfaces, one to the outside
> world, one externally available network and one
> internal. The proxy has 2 interfaces one to internal
> and one externally available. I can redirect port 80
> to a proxy on the router without any issue, but want
> to send them to the separate proxy machine. Has anyone
> done this, or does anyone know of a howto?

Well, it would be helpful to see tcpdumps from the proxy on the NIC connected 
with the gateway. Also if you ask questions like this, please try to include 
significant details about your ruleset. It's always helpful to check if the 
rules that you tried are matched at all (pfctl -vsr or -vsn in your case).

Other than that, I don't know of a howto for this specific problem, the 
pf.conf(5) manpage has some examples that redirect incoming SSH traffic to a 
different host, though. It should be possible to take it from there. Make 
sure that the proxy knows how to get back (i.e. has a route to the client - 
remember "rdr" will not translate the source address!)

> Many thanks

[ Sorry for the delay, EuroBSDCon has been demanding - and a lot of FUN! ]

-- 
/"\  Best regards,                      | mlaier@xxxxxxxxxxx
\ /  Max Laier                          | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | mlaier@EFnet
/ \  ASCII Ribbon Campaign              | Against HTML Mail and News

Attachment: pgppOl4XvpbGk.pgp
Description: PGP signature

References:
- rdr to another machine and back
  - From: Lawrence Farr

Prev by Date: Re: kern/72444: PF can't properly detect interface after 'ifconfig XXX name YYY'
Next by Date: Re: NAT Loopback
Previous by thread: rdr to another machine and back
Next by thread: pf and multicast
Index(es):
- Date
- Thread