Hallo!
My guess is you dont get anything logged since you pass with rdr rules.
Maybe it is cleaner to keep translation and filtering separate, e.g.
have translation rules like this
rdr on $ext_if proto tcp from any to $webby_ip port 80 -> $webby_server
port 80
And then you need to pass not to the external interface's ip address but
to where is your so to say real server, e.g. rule
pass in on $ext_if proto tcp from any to $webby_ip port 80 keep state
should rather read
pass in on $ext_if proto tcp from any to $webby_server port 80 keep state
And also note that rule like this works when there aint other rules what
matches the package. Maybe it is more straight-forward at least for
debugging to add to it 'quick' keyword which makes the rule match no
matter what follows, like this
pass in quick on $ext_if proto tcp from any to $webby_server port 80
keep state
Imre
Parvinder Bhasin wrote:
List,
I am having some issues while redirecting traffic to port 80 on the
$squid_server.
I have this server serving two purpose: apache web server and squid
server. I can definately get to the PROXY services fine but cannot get
to the WWW (port 80) on the same server.
Another issue is that when I try to actively look at the pflog by
running "tcpdump -n -e -ttt -i pflog0 " , I don't get anything even
when the traffic is passing and/or getting blocked.
Any help is highly appreciated.
thx.
For this I have the following pf config:
ext_if="sk0"
int_if="gem0"
pf_log="pflog0"
webby
set skip on enc0
set skip on gre0
external_ip="70.40.22.17"
external_ips="{70.40.22.17 70.40.22.18 70.40.22.19}"
external_net="{70.40.22.17 70.40.22.18 70.40.22.19}"
internal_ip="172.16.10.10"
internal_networks="{172.16.10.0/24 172.16.100.0/24 172.16.200.0/24}"
webby_ip="70.40.22.18"
webby_server="172.16.10.11"
squid_ip="70.40.22.19"
squid_server="172.16.10.12"
# block_ip="70.40.22.20"
block_server="172.16.10.12"
######TABLES########
table <bruteforce> persist
table <kiddies> persist
#### OPTIONS #####
set loginterface $ext_if
set loginterface $int_if
scrub in
#### NAT/REDIRECTS ####
nat on $ext_if from !($ext_if) to any -> ($ext_if:0)
# rdr pass on $ext_if proto tcp from any to $block_ip port 80 ->
$squid_server port 80
rdr pass on $ext_if proto tcp from any to $webby_ip port 80 ->
$webby_server port 80
rdr pass on $ext_if proto tcp from any to $webby_ip port 443 ->
$webby_server port 443
rdr pass on $ext_if proto tcp from any to $squid_ip port 3128 ->
$squid_server port 3128
rdr pass on $ext_if proto tcp from any to $squid_ip port 80 ->
$squid_server port 80
###### FILTERS #####
block log quick from <bruteforce>
block log quick from <kiddies>
block in log on $pf_log
# pass in quick on $int_if
pass out keep state
pass in on $ext_if proto icmp from any to $external_ip keep state
pass in on $ext_if proto tcp from any to $external_ip port ssh keep state
pass in on $ext_if proto tcp from any to $webby_ip port 80 keep state
pass in on $ext_if proto tcp from any to $webby_ip port 443 keep state
pass in log (all, to $pf_log) on $ext_if proto tcp from any to
$squid_ip port 3128 keep state
pass in on $ext_if proto tcp from any to $squid_ip port 80 keep state
# pass in on $ext_if proto tcp from any to $block_ip port 80 keep state
pass in on $ext_if proto tcp from any to $external_ips port 22 keep state
pass inet proto tcp from any to $external_net port 22 flags S/SA keep
state (max-src-conn 25, max-src-conn-rate 15/5, overload <bruteforce>
flush global)
# block in quick on $ext_if
