pf forwarding

Discussion in 'NZ Computing' started by Shane, Jul 12, 2005.

  1. Shane

    Shane Guest

    I saw in another thread the use of pf (OpenBSD) for load balancing, and am
    curious if I can make pf route to a destination, based on the address
    being asked for.
    ie.
    http://webby.weasel.is-a-geek.net/somesh*t
    http://slacker.weasel.is-a-geek.net/someothersh*t.php

    as you can see I want traffic sent to one machine named slacker, and one
    named webby, both on port 80
    [you may call me a lazy ass for not going through the 57 pages of
    documentation I have here]

    it seems a straight forward problem to me, but the one hack attempt I made
    at it was botched
    TIA

    --
    Hardware, n.: The parts of a computer system that can be kicked

    The best way to get the right answer on usenet is to post the wrong one.
     
    Shane, Jul 12, 2005
    #1
    1. Advertising

  2. Shane wrote:
    > I saw in another thread the use of pf (OpenBSD) for load balancing, and am
    > curious if I can make pf route to a destination, based on the address
    > being asked for.
    > ie.
    > http://webby.weasel.is-a-geek.net/somesh*t
    > http://slacker.weasel.is-a-geek.net/someothersh*t.php


    Yes, pf can do this, but only if the IP address and/or port are
    different. I think the 'address' you are refering to is just a different
    virtual Web host on the same IP/port?

    If so, then no, pf cannot do this as pf is a firewall, not a Web proxy.
    It doesn't understand the protocols running on top of [TCP/]IP, nor
    should it.

    The Other Guy
     
    The Other Guy, Jul 12, 2005
    #2
    1. Advertising

  3. Shane

    baldrick Guest

    On 2005-07-12, The Other Guy <> wrote:
    > Shane wrote:
    >> I saw in another thread the use of pf (OpenBSD) for load balancing, and am
    >> curious if I can make pf route to a destination, based on the address
    >> being asked for.
    >> ie.
    >> http://webby.weasel.is-a-geek.net/somesh*t
    >> http://slacker.weasel.is-a-geek.net/someothersh*t.php

    >
    > Yes, pf can do this, but only if the IP address and/or port are
    > different. I think the 'address' you are refering to is just a different
    > virtual Web host on the same IP/port?
    >
    > If so, then no, pf cannot do this as pf is a firewall, not a Web proxy.
    > It doesn't understand the protocols running on top of [TCP/]IP, nor
    > should it.
    >
    > The Other Guy


    Yeah the two addresses relate to two different machines, with seperate ip's,
    when I tried it my rule looked like
    rdr from any to slacker.* (are wildcards allowed here?) port 80 -> slackers
    rfc1918 ip
    rdr from any to webby.* port 80 -> webbys rfc1918 ip

    but that borked, as I had all traffic being routed to slacker, including ssh
    (which at that time was being sent to a third machine and smtp ) my guess is
    the wildcard entry, which is annoying as I had virtual hosting on both machines (cue table?)
     
    baldrick, Jul 12, 2005
    #3
  4. Shane

    thing2 Guest

    Shane wrote:
    > I saw in another thread the use of pf (OpenBSD) for load balancing, and am
    > curious if I can make pf route to a destination, based on the address
    > being asked for.
    > ie.
    > http://webby.weasel.is-a-geek.net/somesh*t
    > http://slacker.weasel.is-a-geek.net/someothersh*t.php
    >
    > as you can see I want traffic sent to one machine named slacker, and one
    > named webby, both on port 80
    > [you may call me a lazy ass for not going through the 57 pages of
    > documentation I have here]
    >
    > it seems a straight forward problem to me, but the one hack attempt I made
    > at it was botched
    > TIA
    >



    I would expect this to be done at a higher level than a firewall, we are
    above TCP here, into application territory...

    Some sort of web load balancer software, using the firewall software to
    transparently catch the traffic at port 80 and re-direct it to (say)
    1025 where the web balancer application is listening which then
    re-directs depending on the header request aka Apache with virtual
    hosting. The web servers then just respond directly....

    regards

    Thing
     
    thing2, Jul 12, 2005
    #4
  5. baldrick wrote:
    > Yeah the two addresses relate to two different machines, with seperate ip's,
    > when I tried it my rule looked like
    > rdr from any to slacker.* (are wildcards allowed here?) port 80 -> slackers
    > rfc1918 ip
    > rdr from any to webby.* port 80 -> webbys rfc1918 ip
    >
    > but that borked, as I had all traffic being routed to slacker, including ssh
    > (which at that time was being sent to a third machine and smtp ) my guess is
    > the wildcard entry, which is annoying as I had virtual hosting on both machines (cue table?)


    You can't use hostnames, you need to use IP addresses or interface
    names. If you have a complex script you can use variables to make it
    easier, and you can also use $interface:network etc. See the pf FAQ for
    the ':' extensions you can use.

    E.g.

    rdr on $ext_if from any to any port 80 -> 10.0.0.1 port 8080

    The Other Guy
     
    The Other Guy, Jul 12, 2005
    #5
  6. In case there is any confusion here, the two IP/port addresses need to
    have different real world addresses for their DNS entries, not private
    addresses.

    The Other Guy

    The Other Guy wrote:
    > baldrick wrote:
    >
    >> Yeah the two addresses relate to two different machines, with seperate
    >> ip's, when I tried it my rule looked like
    >> rdr from any to slacker.* (are wildcards allowed here?) port 80 ->
    >> slackers rfc1918 ip
    >> rdr from any to webby.* port 80 -> webbys rfc1918 ip
    >>
    >> but that borked, as I had all traffic being routed to slacker,
    >> including ssh (which at that time was being sent to a third machine
    >> and smtp ) my guess is the wildcard entry, which is annoying as I had
    >> virtual hosting on both machines (cue table?)

    >
    >
    > You can't use hostnames, you need to use IP addresses or interface
    > names. If you have a complex script you can use variables to make it
    > easier, and you can also use $interface:network etc. See the pf FAQ for
    > the ':' extensions you can use.
    >
    > E.g.
    >
    > rdr on $ext_if from any to any port 80 -> 10.0.0.1 port 8080
    >
    > The Other Guy
     
    The Other Guy, Jul 12, 2005
    #6
  7. Shane

    Shane Guest


    > The Other Guy


    hmm yeah, the real world ip requirement sinks me, the more I think about
    this the more I see it as virtual hosting, where apache decides the
    machine, so that means pf routes to one machine, and apache then decides
    which machine to use from there
    Things comment on this being higher in the OSI model than the fw is
    operating at sounds right, although I would have thought Presentation
    Layer (please excuse my pedantic moment:)
    I had a peruse of some online docs for CARP, and they seem only related
    to load balancing, which this isnt quite.
    Until I receive a better idea, Im looking into Apache handling the
    machine name issue

    Ta Nicely


    --
    Hardware, n.: The parts of a computer system that can be kicked

    The best way to get the right answer on usenet is to post the wrong one.
     
    Shane, Jul 13, 2005
    #7
  8. Shane

    Shane Guest

    On Wed, 13 Jul 2005 09:18:26 +1200, thing2 wrote:

    > Shane wrote:
    >> I saw in another thread the use of pf (OpenBSD) for load balancing, and
    >> am curious if I can make pf route to a destination, based on the address
    >> being asked for.
    >> ie.
    >> http://webby.weasel.is-a-geek.net/somesh*t
    >> http://slacker.weasel.is-a-geek.net/someothersh*t.php
    >>
    >> as you can see I want traffic sent to one machine named slacker, and one
    >> named webby, both on port 80
    >> [you may call me a lazy ass for not going through the 57 pages of
    >> documentation I have here]
    >>
    >> it seems a straight forward problem to me, but the one hack attempt I
    >> made at it was botched
    >> TIA
    >>
    >>

    >
    > I would expect this to be done at a higher level than a firewall, we are
    > above TCP here, into application territory...
    >
    > Some sort of web load balancer software, using the firewall software to
    > transparently catch the traffic at port 80 and re-direct it to (say) 1025
    > where the web balancer application is listening which then re-directs
    > depending on the header request aka Apache with virtual hosting. The web
    > servers then just respond directly....
    >
    > regards
    >
    > Thing


    SQUID
    reverse proxy setup using SQUID to be precise, and no this isnt my own
    thinking, I posted to c.u.b.openbsd.misc and they suggested it
    thanking all :)

    --
    Hardware, n.: The parts of a computer system that can be kicked

    The best way to get the right answer on usenet is to post the wrong one.
     
    Shane, Jul 13, 2005
    #8
  9. In article <-a-geek.net>,
    Shane <-a-geek.net> wrote:

    >I saw in another thread the use of pf (OpenBSD) for load balancing, and am
    >curious if I can make pf route to a destination, based on the address
    >being asked for.
    >ie.
    >http://webby.weasel.is-a-geek.net/somesh*t
    >http://slacker.weasel.is-a-geek.net/someothersh*t.php


    A simpler approach may be to let the DNS distribute the load for you:

    www.weasel.is-a-geek.net IN A <ip address for webby>
    www.weasel.is-a-geek.net IN A <ip address for slacker>

    then when users use the name "www.weasel.is-a-geek.net", half of them
    should be sent to webby, and the other half to slacker. Simple, provided
    you don't have to worry about session cookies or like that.
     
    Lawrence D’Oliveiro, Jul 15, 2005
    #9
  10. Shane

    Shane Guest

    I *finally* got a roundtoit last night (during a lovefest with Mike gordge)

    My final decision was to use Apache on the FreeBSD machine to reverse
    proxy for me, I have decided to post the solution 1) to show its absolute
    simplicity and 2) to brag <g>

    Background:
    A http request comes into my network through my firewall, if that request
    is for a certain address Apache then forwards the request to another
    webserver on my network (which is also my mailserver)

    Solution:
    at the bottom of my httpd.conf I have added the following 2 lines

    ProxyRequests Off
    ProxyPass /mail http://deviant.shanes.dyndns.org/mail


    As can be clearly seen I have turned proxy requests off ( I dont want to
    be running an open proxy) and I have shown Apache what to do with a
    request for /mail, It forwards the request to the address /mail on deviant
    (my mailserver)

    I should note that I _did_ have issues with external clients having
    trouble logging in because the local machines were sening out their
    hostnames as part of the URL redirects, which external machines couldnt
    resolve, this was fixed by changeing hostnames to FQDNs

    Thank you all and have a nice day :)

    --
    Hardware, n.: The parts of a computer system that can be kicked

    The best way to get the right answer on usenet is to post the wrong one.
     
    Shane, Jul 22, 2005
    #10
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?QW5keSBU?=

    Port forwarding problems with SP2

    =?Utf-8?B?QW5keSBU?=, Mar 28, 2005, in forum: Wireless Networking
    Replies:
    1
    Views:
    564
    =?Utf-8?B?QW5keSBU?=
    Mar 29, 2005
  2. GFRfan

    Mozilla 1.5 email and forwarding

    GFRfan, Jan 16, 2004, in forum: Firefox
    Replies:
    1
    Views:
    392
    dantu
    Jan 16, 2004
  3. Lomer

    Forwarding mail

    Lomer, Jan 19, 2004, in forum: Firefox
    Replies:
    6
    Views:
    503
    Lomer
    Jan 26, 2004
  4. Nobody

    Forwarding mail

    Nobody, Feb 10, 2004, in forum: Firefox
    Replies:
    3
    Views:
    445
    Nobody
    Feb 15, 2004
  5. Peter Arnold

    T'Bird MAil Forwarding as file

    Peter Arnold, Aug 3, 2004, in forum: Firefox
    Replies:
    6
    Views:
    641
    Pun Krocker
    Aug 4, 2004
Loading...

Share This Page