Hansteen, Peter N.M., "The Book of PF," San Francisco, No Starch Press,
2008. See pg 23. "... you can use domain names and host names in your rule
set, but then the rule set would only be valid after the name service is
running and accessible. In the default configuration, PF is loaded before
any network services are running... [to do so] you will need to change the
system's startup sequence ... to load the name service-dependent rule-set
only after the name service is available.
regards,
Daniel Villarreal
On Tue, Aug 16, 2011 at 9:41 PM, Quintin Prinsloo <qprins...@quinix.com>wrote:
> We've been using pf for a number of years with one pf firewall serving
> multiple backend servers (i.e. Load-balanced web farm). Now we've added
> more
> backend servers with their own external ip addresses. It seems a waste to
> have one firewall for low volume, specialized sites, forwarding to only one
> set of servers only.
>
> We're trying to have the same OpenBSD server redirect traffic based on the
> external ip address.
>
> What we're having difficulty with right now is getting relayd and pf to
> redirect the same ports, example 80 & 443 to different backend servers
> based
> on external ip (and domain name). It does work on ip address but not domain
> names.
>
> In pf...
> We have a relayd anchors where pf will forward based on tagged names.
> Nothing special here. Pf filters port range 81:442, only directing 80 & 443
> to 443 (always) to the specified internal server or farm based on the
> "tagged" name
>
> The following works in relayd.conf when the ip addresses are specified
> (most
> macro's and tables have been removed for clarity
>
> redirect webone{
> listen on 1.2.3.4 port 80:443 interface $ext_if
> tag tag_one
> forward to <int_ipone> port 443 check tcp
> }
>
> redirect web2{
> listen on 2.3.4.5 port 80:443 interface $ext_if
> tag tag_two
> forward to <int_iptwo> port 443 check tcp
> }
>
> The following does not work
> redirect webone{
> listen on sub.sub.domain1.com port 80:443 interface $ext_if
> tag tag_one
> forward to <int_ipone> port 443 check tcp
> }
>
> redirect web2{
> listen on $sub.sub.domain2.com port 80:443 interface $ext_if
> tag tag_two
> forward to <int_iptwo> port 443 check tcp
> }
>
> When this is entered, relayd -d -vv -f /etc/relayd.conf will complain that
> these listen lines have "invalid virtual ip"
>
> Am I missing something crucial here? Or is this simply a limitation of the
> technology?
>
> Any suggestions or working examples would be greatly appreciated.
>
> Q@Q
