Shane Lazarus wrote:
Heya
On Tue, Apr 20, 2010 at 5:43 AM, Leonardo Carneiro - Veltrac
<[email protected] <mailto:[email protected]>> wrote:
My OpenBSD firewall has 4 interfaces: 2 lan, 1 wan and 1 dmz.
What i'm trying to do is:
1. Allow some hosts to use MSN;
2. Redirect the MSN connections of some hosts from the LAN
interfaces to a MSN proxy in the DMZ interface;
3. Block the rest.
This is how i'm trying to achieve:
# msn proxy redirect
rdr on $lan1_iface proto tcp from $msn-redirect to any port 1863 ->
$proxy
rdr on $lan1_iface proto tcp from $msn-redirect to any port
25000:30000 -> $proxy
# msn filter
pass out quick on $inet_iface inet proto tcp from $msn-redirect to
$proxy port 1863 keep state
pass out quick on $inet_iface inet proto tcp from $msn-allowed1 to
any port 1863 keep state
pass out quick on $inet_iface inet proto tcp from $msn-allowed2 to
any port 1863 keep state
pass out quick on $inet_iface inet proto tcp from $proxy to any
port
1863 keep state
block out on $inet_iface inet proto tcp from any to any port 1863
Is the reference to passing out the redirected traffic to the $proxy
via the $inet_interface instead of the $dmz_interface correct, a typo
or the issue?
Shane
Hi Shane. No, it's not a typo. It's a last second modification that i
tried before send the email. Was 'any' before i replace with '$proxy'.
However, like you well observed, it's wrong :(
I'll try other rules today and i'll post then here. Tks for you concern.
