I have a openbsd 3.2 pf firewall with three nic cards. One is external,
one is a protected network, and one is a dmz. The external and
protected seem to be set up to my wishes. A web server in the dmz is
nicely accessible from the internet. It has a seperate static ip on the
external interface, the web server has a non-routable address, and I nat
its address and do a redirect for port 80 and it works. I got this far
by cut and try.
Suppose I now want to isolate the web server on the dmz further. I try
various pass in and pass outs on the dmz interface and just get in
trouble. The faq hints that trying this sort of combination of nat,
rdr, pass, and block, requires specialized knowledge, which it is now
obvious I do not have.
This is intended to be a prototype for a four nic card firewall on which
the new nic card runs a wi-fi ap. At this point, my failure to
control the dms interface completely suggest the wi-fi ap will need a
seperate firewall and if I really want to control the dmz further, I
would need a firewall box for it.
Is there an alternative I can implement with just one firewall box or is
my proposed approach of multiple firewall boxes the best approach for me?