"match" is a modifier. the settings are remembered and applied to the pass rule lower in the ruleset which permits the traffic to go through.
On 2010-06-17, Alessandro Baggi <alessandro.ba...@gmail.com> wrote: > Hi misc. > I've a openbsd 4.7 firewall with 3 nic, one for lan, one for wan and one > for dmz. On the same machine I've a squid proxy, and in dmz i've a web > server. > My problem is when I get a request for the web server on dmz by a lan > client. > In my ruleset I've this rdr rules for http request: > > match in on $int proto tcp from $int:network to any port 80 rdr-to > $int:0 port 3128 > > and it works fine for all requests. > > When I make from a $int:network client an http request like > "http://mydomain.ath.cx";, the proxy (working with rdr rule or browser > config) give me the web managment of my router. > Then I've tried a first set: > > match in quick on $int proto tcp from $int:network to mydomain.ath.cx > port 80 rdr-to $apache port 80 > match in quick on $int proto tcp from $int:network to $int:0 port 3128 > rdr-to $apache port 80 > match in on $int proto tcp from $int:network to any port 80 rdr-to > $int:0 port 3128 > > but the behaviour is the same. > > I've tried to modify my rdr rules into (second set): > > pass in quick on $int proto tcp from $int:network to mydomain.ath.cx > port 80 rdr-to $apache port 80 > pass in quick on $int proto tcp from $int:network to $int:0 port 3128 > rdr-to $apache port 80 > match in on $int proto tcp from $int:network to any port 80 rdr-to > $int:0 port 3128 > > and it works fine. > > I've tried third ruleset: > > match in on $int proto tcp from $int:network to any port 80 rdr-to > $int:0 port 3128 > match in on $int proto tcp from any to mydomain.ath.cx port 80 rdr-to > $apache port 80 > > but doesn't work. > > My question is about these three ruleset. > > Why in the first ruleset match in quick rules, the key quick does not > affect the third rule of squid redirection? > Why the pass rules works instead the match rules? > Why in the third ruleset match in on $int...doesn't work? The rules > parsing is the "last match rule"? > > > thanks in advance
