pf issues with a web-server

[Bales, Tracy]

I have the following network configuration:





Internet....Firewall....Network Switch....Web-Server


Windows XP Desktop #1


Windows XP Desktop #2


Windows XP Desktop #3


Wireless AP.....Windows XP Laptop #1


Windows XP Laptop #2


Ubuntu Laptop


Windows XP Work Laptop



My firewall is a Sun Netra X1 running OpenBSD 4.2 Stable, and has pf
with NAT and RDR rules and I have dhcpd running on the internal network
on the 192.168.0.0/24 subnet.



My web-server is a Sun Netra T1 running OpenBSD 4.2 Release.  My
firewall assigns a fixed IP address via DHCP to the web-server which is
192.168.0.4.



My wireless access point is a DLink 800+.  My firewall assigns a fixed
IP address via DHCP to the access point which is 192.168.0.2.



Here's my dilemma.  All of my desktops and laptops can access the
internet including accessing a VPN server for my work laptop.  BUT I
CANNOT access my internal web-server at 192.168.0.4!!!



I've looked on the internet for pf rules but they only offer solutions
that can access either the internet or the web-server only but not both.



****I've looked at the OpenBSD pf FAQ and tried the inetd(8) with nc(1)
suggestion but...it blocks web access to the internet.



****Does anyone have a suggestion on how I can get my desktops and
laptops to get access to the internet AND my web-server?



Here's my pf.conf setup that allows all of my desktops and laptops to
get to the internet but not my web-server...



# macros
ext_if="dc0"
int_if="dc1"
web_server="192.168.0.4"

# scrub
scrub in

# nat
nat on $ext_if from !($ext_if) to any -> ($ext_if:0)

# redirection
rdr on $ext_if proto tcp from any to any port 80 -> $web_server

# filter rules
block in
pass out keep state
antispoof for { lo $int_if }

## take care of lo traffic
pass quick on lo all

## block inet6 traffic
block in quick inet6

## block broadcast noise
block in quick on $ext_if from any to 255.255.255.255

## take care of VPN
pass in quick proto gre all
pass out quick proto gre all

## pass out all UDP connections and keep state
pass out on $ext_if proto udp from ($ext_if) to any keep state

## pass out all ICMP connections and keep state
pass out on $ext_if inet proto icmp from ($ext_if) to any keep state

## pass SSH traffic to firewall
pass in quick on $ext_if inet proto tcp from any to ($ext_if) port 22
flags S/SA keep state

## pass web traffic to web_server
pass in on $ext_if inet proto tcp from any to $web_server port 80 flags
S/SA synproxy state

## pass everything else
pass in quick on $int_if