PF redirect to another IP on LAN

Hi

I've just successfully configured an OpenBSD bridge with
two NICs to
separate and filter traffic between our private LAN
(192.168.1.0/24) and
our router (192.168.1.120).
I've given an IP address to one of the NICs (192.168.1.121)
on the
bridge and am running a Bind caching nameserver on it. Now,
the next
thing we'd need to do would be to redirect any traffic that
comes
throught the bridge destined to IP address 192.168.1.121
port 80 to
another server in the LAN (192.168.1.103 port 80).
From what i understand, this entails using PF and the rdr
statement. Any
ideas on how to do this successfully? Thanks.

------------------------------
Elaconta.com webmaster
------------------------------

man pf.conf

Secondly, it's been discussed numerous times on the list
that bridges
have their place (I use them in production environments at
our data
centre) but you'll find filtering a bridge much more
difficult than
filtering a NAT.

On 7/29/06, elaconta.com Webmaster <webmasterelaconta.com> wrote:
> Hi
>
> I've just successfully configured an OpenBSD bridge
with two NICs to
> separate and filter traffic between our private LAN
(192.168.1.0/24) and
> our router (192.168.1.120).
> I've given an IP address to one of the NICs
(192.168.1.121) on the
> bridge and am running a Bind caching nameserver on it.
Now, the next
> thing we'd need to do would be to redirect any traffic
that comes
> throught the bridge destined to IP address
192.168.1.121 port 80 to
> another server in the LAN (192.168.1.103 port 80).
> From what i understand, this entails using PF and the
rdr statement. Any
> ideas on how to do this successfully? Thanks.
>
> ------------------------------
> Elaconta.com webmaster
> ------------------------------

Peter Blair escreveu:
> man pf.conf
>
> Secondly, it's been discussed numerous times on the
list that bridges
> have their place (I use them in production environments
at our data
> centre) but you'll find filtering a bridge much more
difficult than
> filtering a NAT.
>
> On 7/29/06, elaconta.com Webmaster <webmasterelaconta.com> wrote:
>> Hi
>>
>> I've just successfully configured an OpenBSD
bridge with two NICs to
>> separate and filter traffic between our private LAN
(192.168.1.0/24) and
>> our router (192.168.1.120).
>> I've given an IP address to one of the NICs
(192.168.1.121) on the
>> bridge and am running a Bind caching nameserver on
it. Now, the next
>> thing we'd need to do would be to redirect any
traffic that comes
>> throught the bridge destined to IP address
192.168.1.121 port 80 to
>> another server in the LAN (192.168.1.103 port 80).
>> From what i understand, this entails using PF and
the rdr statement. Any
>> ideas on how to do this successfully? Thanks.
>>
>> ------------------------------
>> Elaconta.com webmaster
>> ------------------------------
>>
>>
>
>
Wouldn't this do the trick?

rdr on rl1 proto tcp from any to 192.168.1.121 port 80 ->
192.168.1.103

This bridge has IP address 192.168.1.121 configured in one
of the NIC's,
so isn't the above like saying:

"Redirect any port 80 traffic originally meant for me
to 192.168.1.103"

Or is there something i'm not considering here?

------------------------------
Elaconta.com webmaster
------------------------------

> Wouldn't this do the trick?
>
> rdr on rl1 proto tcp from any to 192.168.1.121 port 80
-> 192.168.1.103
>
> "Redirect any port 80 traffic originally meant
for me to 192.168.1.103"



Yes, but why are you asking if you already have the answer? 
As stated in
the man page, your traffic will also need to pass filter
evaluation AFTER
the redirect rule is processed.  Can't you just test that
line?

Kian

Kian Mohageri escreveu:
>> Wouldn't this do the trick?
>>
>> rdr on rl1 proto tcp from any to 192.168.1.121 port
80 -> 192.168.1.103
>>
>> "Redirect any port 80 traffic originally
meant for me to 192.168.1.103"
>>     
>
>
>
> Yes, but why are you asking if you already have the
answer?  As stated in
> the man page, your traffic will also need to pass
filter evaluation AFTER
> the redirect rule is processed.  Can't you just test
that line?
>
> Kian
>
>
>
>   
If i knew that was the correct answer, of course i wouldn't
have asked
 As
for passing the filter evaluation, i'll disable the PF
filters and
test just this redirecting rule then.

Thanks.

-----------------------------
Elaconta.com webmaster
-----------------------------