Hi Reyk,
thank you for your reply.
Reyk Floeter schreef:
On Mon, Mar 03, 2008 at 10:29:30AM +0100, Wijnand Wiersma wrote:
Sebastian Reitenbach wrote:
<cut>
Also a http redirect did not work. I get a timeout in the browser. With
tcpdump I see incoming SYN packets to port 80, but they are not answered:
<cut>
I am having the same problem with Feb 25 snapshot.
It seems no rdr rules are getting loaded into PF.
? the previous bug report was about relays only, it does not load any
rdr rules into PF.
I quoted the part where Sebastian mentioned ordinary redirects failing
too. Maybe I cut too much. Correct Sebastian?
in your case, have you added the relayd anchor to pf.conf?
rdr-anchor "relayd/*"
Yes, sure I did.
Here is the full config:
# grep -v ^# /etc/relayd.conf
ext_addr="85.158.207.27"
webhost1="10.10.11.36"
webhost2="10.10.11.37"
table <webhosts> { $webhost1 $webhost2 }
table <fallback> { 127.0.0.1 }
redirect www {
listen on $ext_addr port http interface carp0
# tag every packet that goes thru the rdr rule with RELAYD
tag RELAYD
forward to <webhosts> timeout 200 check http "/" code 200
forward to <fallback> check icmp
}
# grep -v ^# /etc/pf.conf
ext_if="pcn0"
int_if="pcn1"
set skip on lo
scrub in
rdr-anchor "relayd/*"
nat on $ext_if from (carp1:network) -> (carp0:0)
block in log
pass out
pass quick on $int_if
pass quick on carp1
antispoof quick for { lo $int_if carp1}
pass quick proto carp
pass quick proto icmp
pass in on $ext_if proto tcp to ($ext_if) port ssh
pass quick proto tcp from any to any port http
I am using the 1 March snapshot now.
Wijnand
