PF, two Internet connections, and servers

linuxpyro · 02-16-2006, 06:22 PM

I have two network connections in my dorm room, and would like to set up my OpenBSD router to use them both (the box has three NICs). I would like most of my traffic to be routed through one of the connections, and use the other for my Webserver. Here is a copy of my pf.conf I have been playing around with for this:

Code:

# macros
int_if = "rl0"
ext_if1 = "dc0"
ext_if2 = "rl1"

tcp_services = "{ 22, 113 }"
icmp_types = "echoreq"

priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"

webserver = "192.168.2.1"
desktop = "192.168.2.3"

# options
set block-policy drop
set loginterface $ext_if1

# scrub
scrub in all

# nat/rdr
nat on $ext_if1 from $int_if:network to any -> ($ext_if1)
nat on $ext_if2 from $int_if:network to any -> ($ext_if2)
rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 \
   port 8021
rdr on $ext_if2 proto tcp from any to ($ext_if2) port 80 -> $webserver
rdr pass on $ext_if1 proto { tcp, udp } from any to ($ext_if1) port 7500 -> $desktop
rdr on $ext_if1 proto tcp from any to ($ext_if1) port 6881 -> $desktop
rdr on $ext_if1 proto tcp from any to ($ext_if1) port 5190 -> $desktop

# filter rules
block all

pass quick on lo0 all

block drop in on $ext_if1 from $priv_nets to any
block drop out on $ext_if1 from any to $priv_nets

block drop in on $ext_if2 from $priv_nets to any
block drop out on $ext_if2 from any to $priv_nets

pass in on $ext_if1 inet proto tcp from any to ($ext_if1) \
   port $tcp_services flags S/SA keep state

#############
#Pass rules for forwarded ports.

#pass in on $ext_if1 proto tcp from any to $webserver port 80 \
#   flags S/SA synproxy state

pass in on $ext_if2 proto tcp from any to ($ext_if2) port 80 \
flags S/SA synproxy state

pass in on $ext_if1 proto tcp from any to $int_if port 7500 \
flags S/SA synproxy state

pass in on $ext_if1 proto udp from any to $int_if port 7500

pass in on $ext_if1 proto tcp from any to ($ext_if1) port 5190 \
flags S/SA synproxy state

pass in on $ext_if1 proto tcp from any to ($ext_if1) port 6881 \
flags S/SA synproxy state

pass in on $ext_if1 inet proto tcp from port 20 to ($ext_if1) \
   user proxy flags S/SA keep state

############

#Let's let OpenVPN traffic through...
pass quick on tun0

############

pass in inet proto icmp all icmp-type $icmp_types keep state

pass in  on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state

pass out on $ext_if1 proto tcp all modulate state flags S/SA
pass out on $ext_if1 proto { tcp, udp, icmp } all keep state

pass out on $ext_if2 proto tcp all modulate state flags S/SA
pass out on $ext_if2 proto { tcp, udp, icmp } all keep state

Basically, I would like to route my Web surfing traffic from my desktop and other general Internet access out through ext_if1, and forward port 80 from ext_if2 to my Webserver. With this pf.conf, I can access the Internet fine through ext_if1, but I am not able to actually forward port 80 from ext_if2 to my Webserver. Any ideas?

linuxpyro · 02-22-2006, 01:05 PM

OK, I got it to work. Here is my new pf.conf:

[CODE]
# macros
int_if = "rl0"
ext_if1 = "dc0"
ext_if2 = "rl1"

tcp_services = "{ 113 }"
icmp_types = "echoreq"

priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"

webserver = "192.168.2.1"
desktop = "192.168.2.3"

# options
set block-policy drop
set loginterface $ext_if1

# scrub
scrub in all

# nat/rdr
nat on $ext_if1 from $int_if:network to any -> ($ext_if1)
nat on $ext_if2 from $int_if:network to any -> ($ext_if2)
rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 \
port 8021
rdr on $ext_if2 proto tcp from any to ($ext_if2) port 80 -> $webserver
rdr pass on $ext_if1 proto { tcp, udp } from any to ($ext_if1) port 7500 -> $desktop
rdr on $ext_if1 proto tcp from any to ($ext_if1) port 6881 -> $desktop
rdr on $ext_if1 proto tcp from any to ($ext_if1) port 5190 -> $desktop

# filter rules
block all

pass quick on lo0 all

block drop in on $ext_if1 from $priv_nets to any
block drop out on $ext_if1 from any to $priv_nets

block drop in on $ext_if2 from $priv_nets to any
block drop out on $ext_if2 from any to $priv_nets

pass in on $ext_if1 inet proto tcp from any to ($ext_if1) \
port $tcp_services flags S/SA keep state

#############
#Pass rules for forwarded ports.

pass in quick on $ext_if2 proto tcp from any to any port 80 \
flags S/SA modulate state

pass in on $ext_if1 proto tcp from any to $int_if port 7500 \
flags S/SA synproxy state

pass in on $ext_if1 proto udp from any to $int_if port 7500

pass in on $ext_if1 proto tcp from any to ($ext_if1) port 5190 \
flags S/SA synproxy state

pass in on $ext_if1 proto tcp from any to ($ext_if1) port 6881 \
flags S/SA synproxy state

pass in on $ext_if1 inet proto tcp from port 20 to ($ext_if1) \
user proxy flags S/SA keep state

############

#Let's let OpenVPN traffic through...
pass quick on tun0

############

pass in inet proto icmp all icmp-type $icmp_types keep state

pass in on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state

pass out on $ext_if1 proto { tcp, udp, icmp } from any to any flags S/SA modulate state

pass out on $ext_if2 proto { tcp, udp, icmp } from any to any flags S/SA modulate state
[CODE]