Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > NZ Computing > pf forwarding

Reply
Thread Tools

pf forwarding

 
 
Shane
Guest
Posts: n/a
 
      07-12-2005
I saw in another thread the use of pf (OpenBSD) for load balancing, and am
curious if I can make pf route to a destination, based on the address
being asked for.
ie.
http://webby.weasel.is-a-geek.net/somesh*t
http://slacker.weasel.is-a-geek.net/someothersh*t.php

as you can see I want traffic sent to one machine named slacker, and one
named webby, both on port 80
[you may call me a lazy ass for not going through the 57 pages of
documentation I have here]

it seems a straight forward problem to me, but the one hack attempt I made
at it was botched
TIA

--
Hardware, n.: The parts of a computer system that can be kicked

The best way to get the right answer on usenet is to post the wrong one.

 
Reply With Quote
 
 
 
 
The Other Guy
Guest
Posts: n/a
 
      07-12-2005
Shane wrote:
> I saw in another thread the use of pf (OpenBSD) for load balancing, and am
> curious if I can make pf route to a destination, based on the address
> being asked for.
> ie.
> http://webby.weasel.is-a-geek.net/somesh*t
> http://slacker.weasel.is-a-geek.net/someothersh*t.php


Yes, pf can do this, but only if the IP address and/or port are
different. I think the 'address' you are refering to is just a different
virtual Web host on the same IP/port?

If so, then no, pf cannot do this as pf is a firewall, not a Web proxy.
It doesn't understand the protocols running on top of [TCP/]IP, nor
should it.

The Other Guy
 
Reply With Quote
 
 
 
 
baldrick
Guest
Posts: n/a
 
      07-12-2005
On 2005-07-12, The Other Guy <(E-Mail Removed)> wrote:
> Shane wrote:
>> I saw in another thread the use of pf (OpenBSD) for load balancing, and am
>> curious if I can make pf route to a destination, based on the address
>> being asked for.
>> ie.
>> http://webby.weasel.is-a-geek.net/somesh*t
>> http://slacker.weasel.is-a-geek.net/someothersh*t.php

>
> Yes, pf can do this, but only if the IP address and/or port are
> different. I think the 'address' you are refering to is just a different
> virtual Web host on the same IP/port?
>
> If so, then no, pf cannot do this as pf is a firewall, not a Web proxy.
> It doesn't understand the protocols running on top of [TCP/]IP, nor
> should it.
>
> The Other Guy


Yeah the two addresses relate to two different machines, with seperate ip's,
when I tried it my rule looked like
rdr from any to slacker.* (are wildcards allowed here?) port 80 -> slackers
rfc1918 ip
rdr from any to webby.* port 80 -> webbys rfc1918 ip

but that borked, as I had all traffic being routed to slacker, including ssh
(which at that time was being sent to a third machine and smtp ) my guess is
the wildcard entry, which is annoying as I had virtual hosting on both machines (cue table?)

 
Reply With Quote
 
thing2
Guest
Posts: n/a
 
      07-12-2005
Shane wrote:
> I saw in another thread the use of pf (OpenBSD) for load balancing, and am
> curious if I can make pf route to a destination, based on the address
> being asked for.
> ie.
> http://webby.weasel.is-a-geek.net/somesh*t
> http://slacker.weasel.is-a-geek.net/someothersh*t.php
>
> as you can see I want traffic sent to one machine named slacker, and one
> named webby, both on port 80
> [you may call me a lazy ass for not going through the 57 pages of
> documentation I have here]
>
> it seems a straight forward problem to me, but the one hack attempt I made
> at it was botched
> TIA
>



I would expect this to be done at a higher level than a firewall, we are
above TCP here, into application territory...

Some sort of web load balancer software, using the firewall software to
transparently catch the traffic at port 80 and re-direct it to (say)
1025 where the web balancer application is listening which then
re-directs depending on the header request aka Apache with virtual
hosting. The web servers then just respond directly....

regards

Thing




 
Reply With Quote
 
The Other Guy
Guest
Posts: n/a
 
      07-12-2005
baldrick wrote:
> Yeah the two addresses relate to two different machines, with seperate ip's,
> when I tried it my rule looked like
> rdr from any to slacker.* (are wildcards allowed here?) port 80 -> slackers
> rfc1918 ip
> rdr from any to webby.* port 80 -> webbys rfc1918 ip
>
> but that borked, as I had all traffic being routed to slacker, including ssh
> (which at that time was being sent to a third machine and smtp ) my guess is
> the wildcard entry, which is annoying as I had virtual hosting on both machines (cue table?)


You can't use hostnames, you need to use IP addresses or interface
names. If you have a complex script you can use variables to make it
easier, and you can also use $interface:network etc. See the pf FAQ for
the ':' extensions you can use.

E.g.

rdr on $ext_if from any to any port 80 -> 10.0.0.1 port 8080

The Other Guy
 
Reply With Quote
 
The Other Guy
Guest
Posts: n/a
 
      07-12-2005
In case there is any confusion here, the two IP/port addresses need to
have different real world addresses for their DNS entries, not private
addresses.

The Other Guy

The Other Guy wrote:
> baldrick wrote:
>
>> Yeah the two addresses relate to two different machines, with seperate
>> ip's, when I tried it my rule looked like
>> rdr from any to slacker.* (are wildcards allowed here?) port 80 ->
>> slackers rfc1918 ip
>> rdr from any to webby.* port 80 -> webbys rfc1918 ip
>>
>> but that borked, as I had all traffic being routed to slacker,
>> including ssh (which at that time was being sent to a third machine
>> and smtp ) my guess is the wildcard entry, which is annoying as I had
>> virtual hosting on both machines (cue table?)

>
>
> You can't use hostnames, you need to use IP addresses or interface
> names. If you have a complex script you can use variables to make it
> easier, and you can also use $interface:network etc. See the pf FAQ for
> the ':' extensions you can use.
>
> E.g.
>
> rdr on $ext_if from any to any port 80 -> 10.0.0.1 port 8080
>
> The Other Guy

 
Reply With Quote
 
Shane
Guest
Posts: n/a
 
      07-13-2005

> The Other Guy


hmm yeah, the real world ip requirement sinks me, the more I think about
this the more I see it as virtual hosting, where apache decides the
machine, so that means pf routes to one machine, and apache then decides
which machine to use from there
Things comment on this being higher in the OSI model than the fw is
operating at sounds right, although I would have thought Presentation
Layer (please excuse my pedantic moment
I had a peruse of some online docs for CARP, and they seem only related
to load balancing, which this isnt quite.
Until I receive a better idea, Im looking into Apache handling the
machine name issue

Ta Nicely


--
Hardware, n.: The parts of a computer system that can be kicked

The best way to get the right answer on usenet is to post the wrong one.

 
Reply With Quote
 
Shane
Guest
Posts: n/a
 
      07-13-2005
On Wed, 13 Jul 2005 09:18:26 +1200, thing2 wrote:

> Shane wrote:
>> I saw in another thread the use of pf (OpenBSD) for load balancing, and
>> am curious if I can make pf route to a destination, based on the address
>> being asked for.
>> ie.
>> http://webby.weasel.is-a-geek.net/somesh*t
>> http://slacker.weasel.is-a-geek.net/someothersh*t.php
>>
>> as you can see I want traffic sent to one machine named slacker, and one
>> named webby, both on port 80
>> [you may call me a lazy ass for not going through the 57 pages of
>> documentation I have here]
>>
>> it seems a straight forward problem to me, but the one hack attempt I
>> made at it was botched
>> TIA
>>
>>

>
> I would expect this to be done at a higher level than a firewall, we are
> above TCP here, into application territory...
>
> Some sort of web load balancer software, using the firewall software to
> transparently catch the traffic at port 80 and re-direct it to (say) 1025
> where the web balancer application is listening which then re-directs
> depending on the header request aka Apache with virtual hosting. The web
> servers then just respond directly....
>
> regards
>
> Thing


SQUID
reverse proxy setup using SQUID to be precise, and no this isnt my own
thinking, I posted to c.u.b.openbsd.misc and they suggested it
thanking all

--
Hardware, n.: The parts of a computer system that can be kicked

The best way to get the right answer on usenet is to post the wrong one.

 
Reply With Quote
 
Lawrence D’Oliveiro
Guest
Posts: n/a
 
      07-15-2005
In article <(E-Mail Removed)-a-geek.net>,
Shane <(E-Mail Removed)-a-geek.net> wrote:

>I saw in another thread the use of pf (OpenBSD) for load balancing, and am
>curious if I can make pf route to a destination, based on the address
>being asked for.
>ie.
>http://webby.weasel.is-a-geek.net/somesh*t
>http://slacker.weasel.is-a-geek.net/someothersh*t.php


A simpler approach may be to let the DNS distribute the load for you:

www.weasel.is-a-geek.net IN A <ip address for webby>
www.weasel.is-a-geek.net IN A <ip address for slacker>

then when users use the name "www.weasel.is-a-geek.net", half of them
should be sent to webby, and the other half to slacker. Simple, provided
you don't have to worry about session cookies or like that.
 
Reply With Quote
 
Shane
Guest
Posts: n/a
 
      07-22-2005
I *finally* got a roundtoit last night (during a lovefest with Mike gordge)

My final decision was to use Apache on the FreeBSD machine to reverse
proxy for me, I have decided to post the solution 1) to show its absolute
simplicity and 2) to brag <g>

Background:
A http request comes into my network through my firewall, if that request
is for a certain address Apache then forwards the request to another
webserver on my network (which is also my mailserver)

Solution:
at the bottom of my httpd.conf I have added the following 2 lines

ProxyRequests Off
ProxyPass /mail http://deviant.shanes.dyndns.org/mail


As can be clearly seen I have turned proxy requests off ( I dont want to
be running an open proxy) and I have shown Apache what to do with a
request for /mail, It forwards the request to the address /mail on deviant
(my mailserver)

I should note that I _did_ have issues with external clients having
trouble logging in because the local machines were sening out their
hostnames as part of the URL redirects, which external machines couldnt
resolve, this was fixed by changeing hostnames to FQDNs

Thank you all and have a nice day

--
Hardware, n.: The parts of a computer system that can be kicked

The best way to get the right answer on usenet is to post the wrong one.

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
forwarding Args&&... vs forwarding Args... Andrew Tomazos C++ 5 01-05-2012 11:15 PM
Port forwarding problems with SP2 =?Utf-8?B?QW5keSBU?= Wireless Networking 1 03-29-2005 07:13 PM
Forwarding mail Nobody Firefox 3 02-15-2004 05:09 PM
Forwarding mail Lomer Firefox 6 01-26-2004 05:16 PM
Mozilla 1.5 email and forwarding GFRfan Firefox 1 01-16-2004 04:39 AM



Advertisments