I would like some help to write some pf rules to force all traffic through one server - in both directions. I can't set up a dedicated firewall at this time so I'm adding to pf rules on my reverse proxy.
The network looks like:
My /etc/rc.conf has:
The relevant part of my /etc/pf.conf is:
I need to do the following:
The network looks like:
Code:
..............Public IP Address..............
.....................|.......................
...................gateway/modem...................
................192.168.1.254................
.....................|.......................
...................pc-bsd....................
..............(virtualbox host)..............
................192.168.1.10.................
.....................|.......................
............192.168.1.20 (nic le0)...........
...........reverse proxy nginx (vm1)..........
.............192.168.1.30 (nic le1)..........
.....................|.......................
...........--------------------..............
..........|.....................|............
.....web server (vm2)....email server (vm3)..
......192.168.1.140.......192.168.1.150......
Code:
ifconfig_le0="inet 192.168.1.20 netmask 0xffffff00"
ifconfig_le1="inet 192.168.1.30 netmask 0xffffff00"
defaultrouter="192.168.1.254"
gateway_enable="YES"
The relevant part of my /etc/pf.conf is:
Code:
# External Interface - Connected To Gateway (& Internet)
ext_if = "le0"
# Internal Interface - Connected To Servers on LAN
int_if = "le1"
# Servers By Name
reverse_proxy_ext = "192.168.1.20"
reverse_proxy_int = "192.168.1.30"
web_server = "192.168.1.140"
email_server = "192.168.1.150"
I need to do the following:
- TCP traffic comes in via ext_if, nginx 'catches' port 80 TCP traffic and redirects to web server, and a pf rule lets this traffic go through int_if to the web server.
I'm not sure if I need NAT for this, but it appears I would need a pf rule to redirect nginx's redirect to int_if so it would then go to the web server (and right port - nginx listens for port 80 and sends to port 8083 on IP address 192.168.1.140). I'm really confused how to write a pf rule for this.
- SSH traffic comes in via ext_if and if not for the reverse proxy itself, NAT/pf redirects this to int_if and it gets to web or email server based on the IP address in the ssh command.
Again I'm not sure if I need NAT and/or pf rule for redirecting ssh to int_if then to the server referenced in the ssh command.