PF redirect between interfaces based on protocol/port

N

nx

I would like some help to write some pf rules to force all traffic through one server - in both directions. I can't set up a dedicated firewall at this time so I'm adding to pf rules on my reverse proxy.

The network looks like:
Code: 
..............Public IP Address..............
.....................|.......................
...................gateway/modem...................
................192.168.1.254................
.....................|.......................
...................pc-bsd....................
..............(virtualbox host)..............
................192.168.1.10.................
.....................|.......................
............192.168.1.20 (nic le0)...........
...........reverse proxy nginx (vm1)..........
.............192.168.1.30 (nic le1)..........
.....................|.......................
...........--------------------..............
..........|.....................|............
.....web server (vm2)....email server (vm3)..
......192.168.1.140.......192.168.1.150......
My /etc/rc.conf has:

Code: 
ifconfig_le0="inet 192.168.1.20 netmask 0xffffff00"
ifconfig_le1="inet 192.168.1.30 netmask 0xffffff00"
defaultrouter="192.168.1.254"
gateway_enable="YES"

The relevant part of my /etc/pf.conf is:

Code: 
# External Interface - Connected To Gateway (& Internet)
ext_if = "le0"
# Internal Interface - Connected To Servers on LAN
int_if = "le1"
# Servers By Name
reverse_proxy_ext = "192.168.1.20"
reverse_proxy_int = "192.168.1.30"
web_server = "192.168.1.140"
email_server = "192.168.1.150"

I need to do the following:

  1. TCP traffic comes in via ext_if, nginx 'catches' port 80 TCP traffic and redirects to web server, and a pf rule lets this traffic go through int_if to the web server.

    I'm not sure if I need NAT for this, but it appears I would need a pf rule to redirect nginx's redirect to int_if so it would then go to the web server (and right port - nginx listens for port 80 and sends to port 8083 on IP address 192.168.1.140). I'm really confused how to write a pf rule for this.
  2. SSH traffic comes in via ext_if and if not for the reverse proxy itself, NAT/pf redirects this to int_if and it gets to web or email server based on the IP address in the ssh command.

    Again I'm not sure if I need NAT and/or pf rule for redirecting ssh to int_if then to the server referenced in the ssh command.
Please help :r
 
I originally posted this a few days ago under 'Networking' and found no solution.
And none here after a day so I've wasted enough time on this problem.

I'm going to keep things simple (insecure) and remove the second interface from the reverse proxy and not build a proper firewall on it.
I'll just ssh to it externally and then from it to internal servers, and all http traffic can continue to pass from web server directly to gateway rather than through pf on the reverse proxy.
 
You must log in or register to reply here.
Back
Top