Hi there.

There were different errors on the last email. For the first rdr-to I 
have lost the direction, and for the second rule host specification, the 
same with different host.
But today, reading these mail, I've another question:

the rdr-to rules does not accept only inbound packet?

thanks in advance
Stuart Henderson wrote:
quoted text
> On 2010-06-17, Alessandro Baggi <alessandro.baggi@gmail.com> wrote:
>   
>> Hi stuart. Thanks for the reply. Can you give me a valid example to 
>> understand this directive?
>> Reading man pages and on the web I understand that with match directive, 
>> the quick keyword has no durable effect, and the match directive set on 
>> the fly the values e not after last rule match such as pass. True?
>>
>> It is a valid ruleset?
>>
>> match on $ext proto tcp from any to any port 80  rdr-to $dmz-host port 80
>> ....
>> ...
>> ...
>> pass on $ext proto tcp from any to  $hostweb port 80 synproxy state
>>     
>
> not valid, rdr-to needs a direction (in/out).
>
> also see this: 
>
>    Translation
> [...]
>      Subsequent rules will see packets as they look after any addresses and
>      ports have been translated.  These rules will therefore have to filter
>      based on the translated address and port number.
>
> so for the pass rule you probably want $dmz-host not $hostweb.
>
>   
>> pass on $ext proto tcp from any to any port 80 rdr-to $dmz-host port 80
>>
>> I must not to put another filter rule for pass this service such as pf 
>> of openbsd4.5?
>>     
>
> you don't need a separate rule. you can either do it this way,
> with 'rdr-to' directly on the pass rule, or you can use separate
> match and pass rules, depending on what works best for you and
> your ruleset.
>
>
>   
>> Another question, in my example I want that my internal request for my 
>> internal site in dmz, are redirected versus dmz directly. Staying at my 
>> understandig, the ruleset must be:
>>
>> #redirect packet for http versus squid
>> match in on $int proto tcp from $int:network to any port 80 rdr-to 
>> $int:0 port 3128
>> # redirect  packet for  mydomain.ath.cd to dmz-host
>> match in on $int proto tcp from $int:network to mydomain.ath.cx port 80 
>> rdr-to $dmz-host port 80
>>
>> # pass all traffic for int network
>> pass in on $int from $int:network to any 
>>
>>
>> than, if the $int network client sends a request for mydomain.ath.cx the 
>> first rule match, the second match and when the pass rule will be 
>> processed, settings take place and then redirected?
>>     
>
> from a quick read, i think so, but you can test this yourself
> much more easily than i can.
>
>
>   
>> thanks in advance
>>
>> Stuart Henderson wrote:
>>     
>>> "match" is a modifier. the settings are remembered and applied to the
>>> pass rule lower in the ruleset which permits the traffic to go through.
>>>
>>>
>>>
>>> On 2010-06-17, Alessandro Baggi <alessandro.baggi@gmail.com> wrote:
>>>   
>>>       
>>>> Hi misc.
>>>> I've a openbsd 4.7 firewall with 3 nic, one for lan, one for wan and one 
>>>> for dmz. On the same machine I've a squid proxy, and in dmz i've a web 
>>>> server.
>>>> My problem is when I get a request for the web server on dmz by a lan 
>>>> client.
>>>> In my ruleset I've this rdr rules for http request:
>>>>
>>>> match in on $int proto tcp from $int:network to any port 80 rdr-to 
>>>> $int:0 port 3128
>>>>
>>>> and it works fine for all requests.
>>>>
>>>> When I make from a $int:network client an http request like 
>>>> "http://mydomain.ath.cx", the proxy (working with rdr rule or browser 
>>>> config) give me the web managment of my router.
>>>> Then I've tried a first set:
>>>>
>>>> match in quick on $int proto tcp from $int:network to mydomain.ath.cx 
>>>> port 80 rdr-to $apache port 80
>>>> match in quick on $int proto tcp from $int:network to $int:0 port 3128 
>>>> rdr-to $apache port 80
>>>> match in on $int  proto tcp from $int:network to any port 80 rdr-to 
>>>> $int:0 port 3128
>>>>
>>>> but the behaviour is the same.
>>>>
>>>> I've tried to modify my rdr rules into (second set):
>>>>
>>>> pass in quick on $int proto tcp from $int:network to mydomain.ath.cx 
>>>> port 80 rdr-to $apache port 80
>>>> pass in quick on $int proto tcp from $int:network to $int:0 port 3128 
>>>> rdr-to $apache port 80
>>>> match in on $int proto tcp from $int:network to any port 80 rdr-to 
>>>> $int:0 port 3128
>>>>
>>>> and it works fine.
>>>>
>>>> I've tried third ruleset:
>>>>
>>>> match in on $int proto tcp from $int:network to any port 80 rdr-to 
>>>> $int:0 port 3128
>>>> match in on $int proto tcp from any to mydomain.ath.cx port 80 rdr-to 
>>>> $apache port 80
>>>>
>>>> but doesn't work.
>>>>
>>>> My question is about these three ruleset.
>>>>
>>>> Why in the first ruleset match in quick rules, the key quick does not 
>>>> affect the third rule of squid redirection?
>>>> Why the pass rules works instead the match rules?
>>>> Why in the third ruleset match in on $int...doesn't work? The rules 
>>>> parsing is the "last match rule"?
>>>>
>>>>
>>>> thanks in advance