RDR rules in pf and source ip.

W

wellwet

Hi!

I've got a problem with rdr rules in pf. I've got a firewall running freebsd which redirects 80 port to web server on LAN behind this firewall. rdr rules work fine but in Apache access log I see only firewall ip. The configuration of pf is something like this:

Code: 
ext_if="xl0"                    # external interface of the firewall
int_ifw="xl2"                   # internal interface of the firewall
ext_ip="xxx.xxx.xxx.xxx"        # external ip of the firewall
int_netw="172.16.1.5"           # ip of web server

nat on $int_ifw proto tcp from any to 172.16.1.5 port 80 -> ($int_ifw)
rdr on $ext_if proto tcp from any to $ext_ip port 80 -> $int_netw port 80

block in all

pass in on $ext_if proto tcp from any to $int_netw port 80 keep state


Official pf docyumentation says that rdr rules apply before filtering so source ip of the client of web server is substituted by firewall internal ip. Is there any way to keep the real source ip of the cline tof web server? Also I have mail server behind the firewall and i need to know real ip of clients to block untrusted connections.

Thanks!
 
Use nat on the external interface. You don't have to explicitly nat traffic to your internal network.

Code: 
nat on $ext_if from $int_net to any -> $ext_if
rdr pass on $ext_if inet proto tcp from any to $ext_if port 80 -> $webserver
pass out on $int_if inet proto tcp from any to $webserver port 80

should work fine.
 
You must log in or register to reply here.
Back
Top