[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: rdr vs pass

To: <misc@openbsd.org>
Subject: Re: rdr vs pass
From: <jabbott@abbotts.org>
Date: Tue, 1 Mar 2005 16:39:04 -0600 (CST)

Ok, maybe I better give an example with some more real looking IP numbers.

Lets make believe 209.247.228.201 is someone I want to give access to my ldap server.  I think ldap is port 389.  My ldap server uses the outside address of 156.122.130.19 but on the inside of my network it is 10.2.4.5.

What my co-worker proposes is:
rdr on fxp0 proto tcp from 209.247.228.201/32 to 156.122.130.19 port 389 -> 10.2.4.5 port 389

?? What my coworker suggests is that this is just as secure as what I would do which is:
rdr on fxp0 156.122.130.19 port 389 -> 10.2.4.5 port 389

pass in quick on fxp0 from 209.247.228.201/32 to 10.2.4.5/32 port 389 keep state

ignore any minor syntax errors, this was off the top of my head.

--ja


On Tue, 1 Mar 2005, Mike Piety wrote:

> On Tue, 1 Mar 2005 15:26:56 -0600 
> "Rolen, Mark E." <MERolen@apacmail.com> wrote:
> 
> > I'm unsure as to why you'd ever rdr traffic that you intended to
> > block, so it used to peeve me to have to create pass rules to cover
> > what I'd already redirected.  I was glad to see "rdr pass" come along.
> >  Granted, I'm *not* a
> > professional firewall guy, so there may be legit reasons to rdr and
> > then block, and if so, I'd be curious to know 'em.
> > 
> 
> The only thing I rdr pass for is spamd running on the firewall
> 
> >  
> > 
> > -----Original Message-----
> > From: jabbott@abbotts.org [mailto:jabbott@abbotts.org] 
> > Sent: Tuesday, March 01, 2005 3:14 PM
> > To: Rolen, Mark E.
> > Cc: misc@openbsd.org
> > Subject: RE: rdr vs pass
> > 
> > 
> > Right, that is what he is talking about.  What I am asking is; is this
> > a good thing?  
> > 
> > --ja
> > 
> > On Tue, 1 Mar 2005, Rolen, Mark E. wrote:
> > 
> > > 
> > > >On Tue, 2005-03-01 at 14:38:57 -0600, jabbott@abbotts.org
> > > >proclaimed...> What is the opinion of the list?
> > > >To redirect traffic IN on one interface OUT another, you need rdr.
> > > >To permit this behavir, you ALSO a rule to permit/deny/etc.
> > > 
> > > 
> > > 
> > > In newer versions of pf, you can just:
> > > 
> > > rdr pass on $ext_if ....
> > > 
> > > and skip creating pass rules to cover the rdr.
> > > 
> > > Regards,
> > > Mark
> > > 
> > > 
> > >  
> > > 
> > 
> > -- 
> 
> 

--

References:
- Re: rdr vs pass
  - From: Mike Piety <mrp@piety.ath.cx>

Prev by Date: Re: Newbie Guide (DRAFT)
Next by Date: Re: Newbie Guide (DRAFT)
Prev by thread: Re: rdr vs pass
Next by thread: Re: rdr vs pass
Index(es):
- Date
- Thread