# RDR rules in pf and source ip.



## wellwet (Apr 28, 2010)

Hi!

I've got a problem with rdr rules in pf. I've got a firewall running freebsd which redirects 80 port to web server on LAN behind this firewall. rdr rules work fine but in Apache access log I see only firewall ip. The configuration of pf is something like this:


```
ext_if="xl0"                    # external interface of the firewall
int_ifw="xl2"                   # internal interface of the firewall
ext_ip="xxx.xxx.xxx.xxx"        # external ip of the firewall
int_netw="172.16.1.5"           # ip of web server

nat on $int_ifw proto tcp from any to 172.16.1.5 port 80 -> ($int_ifw)
rdr on $ext_if proto tcp from any to $ext_ip port 80 -> $int_netw port 80

block in all

pass in on $ext_if proto tcp from any to $int_netw port 80 keep state
```


Official pf docyumentation says that rdr rules apply before filtering so source ip of the client of web server is substituted by firewall internal ip. Is there any way to keep the real source ip of the cline tof web server? Also I have mail server behind the firewall and i need to know real ip of clients to block untrusted connections.

Thanks!


----------



## DutchDaemon (Apr 28, 2010)

Use nat on the external interface. You don't have to explicitly nat traffic to your internal network.


```
nat on $ext_if from $int_net to any -> $ext_if
rdr pass on $ext_if inet proto tcp from any to $ext_if port 80 -> $webserver
pass out on $int_if inet proto tcp from any to $webserver port 80
```

should work fine.


----------



## wellwet (Apr 29, 2010)

DutchDaemon, that's great! Thank you very much! You saved my day!!!


----------



## msyamsuri (May 11, 2010)

DutchDaemon, 

thanks it's work for me smooth  

http://panaharjuna.wordpress.com/2010/05/11/pf-firewall-squid-transparent-port-forward-rdp/


----------

