pf use: is my idea reasonable?

Howdy.

I've read some good articles and documents about pf, but I'm not entirely clear on something I'd like to do.

First off, I'm trying to prep an OpenBSD32 machine to replace a SpeedStream router/firewall.

We have three external IPs. One is for our Citrix server, one for our webserver, and one for our mailserver. I'd like to map each of those three external IPs to a static internal IP.

For example, I want

204.111.222.34 <-> 10.1.72.9,
204.111.222.35 <-> 10.1.72.6, and
204.111.222.36 <-> 10.1.72.10

I believe all other (typically user) traffic that leaves our office goes out on 204.111.222.33.

So I'm thinking I would use binat to permanently associate all traffic with each of those fixed external IPs with the appropriate internal fixed IPs.

Then all the rest of the incoming traffic would be a result of outgoing traffic from .33, and thus would return to .33 and NAT would handle getting it to the appropriate internal address.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related openbsd.org Links advocacy announce bugs ipv6 misc ports ports-changes security-announce smp source-changes tech Request more information about Pantek

Does this make any sense? I've done something like this in the past, but it was using rdr to route incoming traffic based on port. I could do that in this case, but I have some reasons for not wanting to do it that way.

Thanks for any comments or references to information. MT
Yahoo! Platinum - Watch CBS' NCAA March Madness, live on your desktop! http://platinum.yahoo.com Received on Mon Mar 31 17:07:46 2003