Quantcast

Are there any RDR 1-to-1 Multiple Rule Shortcuts?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Are there any RDR 1-to-1 Multiple Rule Shortcuts?

Alan McKay
Hi folks,

I have a firewall basically masking a bunch of IPs behind it, and a
bunch of rules that do RDRs from an IP on interface1 to an IP on
interface 2.  These are 1-to-1 IP mappings.  The firewall has a bunch
of CARP IPs defined on the external interface that map back to real
IPs (servers) behind it.

I could have sworn I once saw a way to do this with tables or macros
on each end of the RDR but I've been googling for some time now and
coming up with nothing.  And even checked my PDF copy of the book of
PF and search on every instance of "rdr" and found nothing.

Basically a bunch of these :

pass in  quick log on $extIf inet proto tcp from any to (external IP
#1) port (some port) rdr-to (internal IP #1)
pass in  quick log on $extIf inet proto tcp from any to (external IP
#2) port (some port) rdr-to (internal IP #2)

and so on.

I guess I could just try it on a DEV box but I'd like to know first.
Either define a macro or table for both the internal and external IPs
and let PF forward from the first one listed on the left, to the first
one on the right, and 2nd to 2nd and so on.

internalIPS = { 1 2 3 }
externalIPS = { 4 5 6 }

pass in  quick log on $extIf inet proto tcp from any to (externalIPs)
port (some port) rdr-to (internalIPs)

Maybe I'm just hallucinating :-)

--
"Don't eat anything you've ever seen advertised on TV"
         - Michael Pollan, author of "In Defense of Food"
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Are there any RDR 1-to-1 Multiple Rule Shortcuts?

Daniel Hartmeier
On Thu, Aug 14, 2014 at 02:56:45PM -0400, Alan McKay wrote:

> internalIPS = { 1 2 3 }
> externalIPS = { 4 5 6 }
>
> pass in  quick log on $extIf inet proto tcp from any to (externalIPs)
> port (some port) rdr-to (internalIPs)
>
> Maybe I'm just hallucinating :-)

There's no such thing with lists or tables, but you might be thinking of
'bitmask'

  ... to 192.168.0.0/24 rdr-to 10.0.0.0/24 bitmask

which is short for

  ... to 192.168.0.1 rdr-to 10.0.0.1
  ... to 192.168.0.2 rdr-to 10.0.0.2
  ... to 192.168.0.3 rdr-to 10.0.0.3
  ...
  ... to 192.168.0.255 rdr-to 10.0.0.255

You can adjust the netmask and network bits on the right-most argument
to "shift" the range of the internal IPs, but it must always be an
continuous block.

There are more examples on

  http://www.openbsd.org/faq/pf/pools.html

HTH,
Daniel
Loading...