Two PF questions

[sparker]

I have recently started to build a firewall for my home network using OpenBSD 4.6 and PF. However PF is completely new to me. I have read through to PF users guide and I'm still having trouble figuring a few things out. I have a network architecture as follows:

[ server server server ] ------- [Switch] -------- [OpenBSD] -------- [Internet]

I have configured the OpenBSD box to simply act as a transparent bridge. I have two network cards, fxp0 is the external card and vr0 is my internal card.

Basically what I would like to do is redirect incoming traffic from the internet to different servers. From what I have read the rdr macro doesn't seem to take an inbound or outbound parameter. So what rule would I use to forward all incoming traffic destined for port 80 to one of the servers?

Also I would like to be able to log traffic intended for each server in a separate log file. I have already created three pflog interfaces but I don't quite understand how the pflogd works. Am I able to use the single daemon to log everything to separate files or do I need to run multiple instances of the daemon to achieve this?

[J65nko]

Have you seen the redirection examples in http://www.openbsd.dk/faq/pf/rdr.html ?

[sparker]

I have read through the redirection stuff in the user guide but it doesn't seem to work as intended. I have something like:

rdr on $int_if proto tcp from any to any port 80 -> $webserver

However my internal and external interfaces are setup as a bridge and neither has been assigned an ip address. So I have already allowed all inbound and outbound traffic on the external interface and I'm doing all my filtering on the internal interface. Any idea what could be wrong here?

[Carpetsmoker]

Maybe it would be helpful if you would post your entire pf.conf.

[s2scott]

Quote:

Originally Posted by sparker

rdr on $int_if proto tcp from any to any port 80 -> $webserver

rdr is a catch-and-pitch (receive on the outside and re-transmit on the inside); therefore, it likely, it should be,

Code:

rdr on $ext_if proto tcp from any to ($ext_if:0) port 80 -> $webserver

This alone is insufficient.

Code:

#
rdr on $ext_if proto tcp \
 from any to ($ext_if:0) port 80 \
 tag MYPORT80 -> $webserver
#
pass in log quick on $ext_if inet proto TCP \
 tagged MYPORT80 synproxy state
#
pass out log quick on $int_if inet proto TCP \
 tagged MYPORT80 keep state
#

/S

[s2scott]

Also, in a {server server server} scenario, you may hit the limits of PF's layer 3 and 4 only facilities, especially in a bridged mode.

If {server server server} is {web[80] email[25] ntp[123]}, then you're likely ok. If, however, it's one outside IP and {server server server} is {web-A[80] and web-B[80] and web-C[80]}, then you'll likely need to look at and use openbsd's relayd(8) in combination with PF.

/S