Am 30.10.2016 18:28 schrieb Jeff Ross:
It seems like I should be able to use pf to redirect all inbound
traffic except ssh to the new server. I tried redirecting web traffic
as a test with the following rule in pf.conf:
#pass all non-ssl web traffic to luna
pass in quick proto tcp to port www rdr-to luna.openvistas.net port 80
I just assume that the incoming interface is the same that would be
needed
to reach luna.openvistas.net?
If so, please see pf.conf(5) in Translation/rdr-to along the
'received-on'
example.
The rdr-to (as of now) will likely send the SYN to the the desired
address,
but the src-ip-address will still be of the initial one ("browser") and
thus
the SYN-ACK (emitted from luna) goes there where it'll be ignored for
not
being legit.
The example with received-on will fix this.
HTH,
--
pb
