Firewall for more than one static IP address DSL (was Re: Dual port dual subnet question)

From: Ben (bluesky6_at_ix.netcom.com)
Date: 09/14/04 

Date: Tue, 14 Sep 2004 09:58:52 -0700

Well, I found the solution to what I wanted to do and as usual, the
solution was simpler than the original problem :-)

I just got 2 static IP addresses from my DSL provider and I wanted to
hook up two physically distinct webservers.

I had originally thought of connecting the DSL modem to a hub then
have 2 connections from the hub to the firewall machine. Each ethernet
port from the hub would have one IP address.

After looking at the ifconfig manpages, I found that I could use the
"alias" option in the hostname.if file (hostname.xl0 in my case):

inet 155.155.155.34 255.255.255.0 NONE
inet alias 155.155.155.45 255.255.255.0 NONE

Effectively, this configured the single Ethernet port xl0 with 2 IP
addresses. So I didn't need the hub...

The next thing I had to do was to figure out how to redirect port 80
requests from each of these 2 IP addresses (from the single xl0 port)
to the correct server.

Normally, you would include the following line to /etc/pf.conf to
redirect port 80 requests to your webserver:

rdr on $ext_if inet proto tcp to port 80 -> 192.168.1.55 port 80

where $ext_if is the external interface e.g. xl0 in my case

This line specifies that all port 80 requests from the external
interface would be redirected to the webserver.

What I needed to do was to add the additional IP address parameter.

Fortunately, pf allowed me to do that:

rdr on $ext_if inet proto tcp to 155.155.155.34 port 80 ->
192.168.1.55 port 80

This specifies that port 80 requests to the 155.155.155.34 IP address
that arrive on the external port will be routed to the webserver on
192.168.1.55 on the internal subnet.

To add routing for the second server, I added the following:

rdr on $ext_if inet proto tcp to 155.155.155.45 port 80 ->
192.168.1.57 port 80

And voila!

I've also included this info in my long-dormant OpenBSD for Dummies
webpage at www.svgeek.com/dummies/opendummies.html

Please email me if you find typos or factual errors.

Thanks.

Ben

Relevant Pages

  • Re: Danger to having Port 80 open on hardware firewall
    ... I was simply replying to the issue of getting http://fqdn/remote to redirect ... > port 80, consider upgrading to ISA. ... > at ISA and never touches the webserver. ... > requests never go any further. ...
    (microsoft.public.windows.server.sbs)
  • Re: Web Chaining - Ausgehender Port für SSL
    ... den isa, weil du ihre browserkonfigurationen angepasst hast. ... somit schickt dein isa die requests an den squid und bittet jenen ... auseinandernimmt und je nach Aufbau an den entsprechenden Port ... Also bekommt der upstream-Proxy das nur auf die entsprechenden Ports ...
    (microsoft.public.de.german.isaserver)
  • Re: ARP question
    ... UDP port 1026, ... As far as I know ARP requests are only made in LANs and it's impossible ... I got 1871 ARP requests, 1870 were from the Cable company, and one was ...
    (Fedora)
  • Host configuration problem?
    ... I have recently set up a server running FreeBSD 6 to host a test web ... memory usage, CPU never dips below 80%ish idle and memory stays pretty ... Apache 2.2.0.6 that serves static content and forwards dynamic requests ... should be established on the same localhost port. ...
    (comp.unix.bsd.freebsd.misc)
  • Re: PPC MSMQ Help!
    ... I believe that Active Sync is the culprit here in blocking requests. ... Here is a snippet about how to allow AS to forward port requests. ... connections being generated from your desktop machine itself, ...
    (microsoft.public.pocketpc.developer)