Kernel_Killer
March 13th, 2004, 23:37
How can you redirect packets to go to the domain that someone is trying to access? I've tried this with no avail.
rdr on $ex proto tcp from any to www.site1.com port 80 -> $http1 port 80
rdr on $ex proto tcp from any to www.site2.com port 80 -> $http2 port 80
Of course, all this did was make any connection to either site rotate as to what site was accessed. Is there a way this can be done? Should I be looking at the NAT instead?
elmore
March 13th, 2004, 23:55
can't you do this with binat
Kernel_Killer
March 14th, 2004, 02:17
Something new to me. I'll check it out. Thanx elmore. :)
Kernel_Killer
March 14th, 2004, 06:15
Well, the only reference I'm finding with binat, shows multiple servers with multiple IPs. I need to bind them both with one IP. Any ideas, or docs that could be pointed out?
Strog
March 15th, 2004, 00:55
Yeah, binat maps one IP to another so it's not going to accomplish what you are looking for.
I've thought about the solution to this for a while off and on now and I'm surprised that no one has coded it up yet. Your firewall would have to look at the HTTP 1.1 headers for the target and filter based on that. It seems some sort of proxy could handle this without a terrible amount of overhead (sure there's overhead with this). I know some people use Squid to proxy in front of webservers and you could probably find a way to make it do what you want. If you are trying to load balance the same content on multiple machines then you could use an address pool in PF to handle that.
Another alternative is to use Apache's proxy and rewrite module. You'd have to setup one of the machines up as the master to proxy the others through. I read a little mini-howto over on ntop's website the other day (http://www.ntop.org/UsageNotes.html).