Re: rdr rule for proxy

["Arne P. Boettger" <apb_(_at_)_rot26_(_dot_)_de>]

Hi Chad,

In lists.openbsd-misc, you wrote:
> running openbsd 3.2 - just upgraded this morning
> and i have one pf rule i cant get to work
> 
> # Redirect HTTP requests to Proxy Server except DOMAIN Web Sites
> rdr on $Int inet proto tcp from $Lan to ! $DOMAIN port 80 -> 
> xxx.xxx.xxx.8 port 80
> 
> here is all i get when i try to load pf.conf with the rule applied
> firewall:~ # pfctl -f /etc/pf.conf
> /etc/pf.conf:62: syntax error
> pfctl: Syntax error in file: pf rules not loaded
> 
> im assuming it has to do with the ! $DOMAIN
> if i take that part out and just go with
> rdr on $Int inet proto tcp from $Lan to any port 80 -> xxx.xxx.xxx.8 
> port 80
> it will work but i dont want to proxy for my local webservers.

we can't help you on this without knowing what value $DOMAIN has.
If it is what I think, a domain name like openbsd.org, it won't work
because pfctl has no way of knowing which IP adresses have servers
in this domain and which dont. 
You can only filter based on IP adresses or IP networks. You also
need to be careful if you want to use a list of IP adresses here
because "rdr ... ! {host1, host2} ..." is expanded to

rdr ... ! host1 ...
rdr ... ! host2 ...

so every packet matches at least one of those rules.

Ciao, Arne.
-- 
 ,``o. OpenBSD        -        Debian GNU/Linux        -        Solaris  >o)
>( ,c@ GPG 1024D/913C2F81 2000-10-11  Arne P. Boettger <apb_(_at_)_createx_(_dot_)_de>  /\\
 ',,,' Fingerprint = 6ED9 9A64 CD8A EB6F D841  0391 2F08 8F86 913C 2F81 _\_V