2MuchRiceMakesMeSick
March 26th, 2005, 05:42
Can someone post up a simple 3 nic card DMZ with a computer on INT and a web server on DMZ. This would be greatly appreciated. Just as simple as possible with nat,rdr and pass commands.

INT
EXT
DMZ

molotov
March 26th, 2005, 13:41
https://solarflux.org/pf/

There are tons of examples over there, good luck.

2MuchRiceMakesMeSick
March 26th, 2005, 19:35
Thanks for the reply.

The only DMZ I see I cannot connect to. I guess the site is down.

I am just looking for a simple no frills dmz setup. Using 3 nic cards and 3 computers. A workstation, a server (with 3 nics) and a web server. The less the code the better. I learn best by example. TIA

2MuchRiceMakesMeSick
March 26th, 2005, 19:50
EXT="xl0"
INT="xl1"
DMZ="xl2"

WEBSRV=192.168.0.2

rdr on $EXT proto tcp from any to $DMZ port 80 -> $WEBSRV port 80

nat on $EXT inet from $INT/24 to any -> ($EXT)

pass in quick on $INT all keep state
pass out quick on $INET all keep state
pass out quick on $EXT all keep state


pass in on $EXT proto tcp from any to $DMZ port 80
pass in quick on $EXT proto tcp from any to $WEBSRV port 80 keep state


--------------------------------------------------------------------

why doesnt incomming traffic get routed to the web server?
Please add comments/code to make this work
Its much appreciated

Strog
March 26th, 2005, 23:09
rdr on $EXT proto tcp from any to $DMZ port 80 -> $WEBSRV port 80

PF is seeing requests from any to (your external IP). No one is actually requesting the DMZ IP/Interface/etc. so it's not forwarding. You need to change this to from any to $EXT to get it to redirect to where you want it to go. The filtering is done after the translation done by the rdr so your pass rule is fine.

nat on $EXT inet from $INT/24 to any -> ($EXT)

I'd change $INT/24 to $INT:network. It's a built-in macro that uses the network address and netmask that's bound to that interface. It's nice since you don't have to rewrite anything if you change your address range, netmask, etc.

I'd probably look at adding synproxy (http://www.openbsd.org/faq/pf/filter.html#synproxy) to your pass in to the webserver. Priority Queueing (http://www.openbsd.org/faq/pf/queueing.html) with ALTQ really makes a difference on your connection and would be another good thing to check out. I'd definitely recomend adding it to your config once you have it up and running. If nothing else, check out Daniel Hartmeier's page on prioritizing tcpack packets (http://www.benzedrine.cx/ackpri.html). I didn't think it would help as much as it does until I tried it.

The list goes on for things you can do to tweak your network out but I'll let you get it up and running before suggesting too much at once. I used to have fairly general rules in the beginning but now I'm very explict with all my rules. The more fine grained you can make your rules, the better idea you'll have about what can get in and out of your network. :cool:

2MuchRiceMakesMeSick
March 27th, 2005, 01:14
Thanks for the reply :D

So this should work?

EXT="xl0"
INT="xl1"
DMZ="xl2"

WEBSRV=192.168.0.2

rdr on $EXT proto tcp from any to $EXT port 80 -> $WEBSRV port 80

nat on $EXT inet from $INT:network to any -> ($EXT)

pass in quick on $INT all keep state
pass out quick on $INET all keep state
pass out quick on $EXT all keep state


pass in on $EXT proto tcp from any to $DMZ port 80
pass in quick on $EXT proto tcp from any to $WEBSRV port 80 keep state



--------------------------

And this is enough to route incomming traffic on port 80 to the third nic ($DMZ)

pass in on $EXT proto tcp from any to $DMZ port 80
pass in quick on $EXT proto tcp from any to $WEBSRV port 80 keep state

Strog
March 28th, 2005, 15:26
The 2nd pass would be fine.