[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: rdr rule for proxy
sorry, should have posted the value of $DOMAIN in original post
anyway, its DOMAIN = 'xxx.xxx.xxx.0/24'
Arne P. Boettger wrote:
> Hi Chad,
>
> In lists.openbsd-misc, you wrote:
>
>>running openbsd 3.2 - just upgraded this morning
>>and i have one pf rule i cant get to work
>>
>># Redirect HTTP requests to Proxy Server except DOMAIN Web Sites
>>rdr on $Int inet proto tcp from $Lan to ! $DOMAIN port 80 ->
>>xxx.xxx.xxx.8 port 80
>>
>>here is all i get when i try to load pf.conf with the rule applied
>>firewall:~ # pfctl -f /etc/pf.conf
>>/etc/pf.conf:62: syntax error
>>pfctl: Syntax error in file: pf rules not loaded
>>
>>im assuming it has to do with the ! $DOMAIN
>>if i take that part out and just go with
>>rdr on $Int inet proto tcp from $Lan to any port 80 -> xxx.xxx.xxx.8
>>port 80
>>it will work but i dont want to proxy for my local webservers.
>
>
> we can't help you on this without knowing what value $DOMAIN has.
> If it is what I think, a domain name like openbsd.org, it won't work
> because pfctl has no way of knowing which IP adresses have servers
> in this domain and which dont.
> You can only filter based on IP adresses or IP networks. You also
> need to be careful if you want to use a list of IP adresses here
> because "rdr ... ! {host1, host2} ..." is expanded to
>
> rdr ... ! host1 ...
> rdr ... ! host2 ...
>
> so every packet matches at least one of those rules.
>
> Ciao, Arne.