Scott Seekamp
2018-04-10 17:57:18 UTC
Hello!
I’m setting up Relayd for a few services in my lab as a test bed and couldn’t find answers in the docs on expected behavior.
Is it better/worse/no difference to split ip4 from ip6 redirects and relays:
Combined:
redirect "ldap" {
listen on $ext_addr port 389
listen on $ext_v6 port 389
forward to <ldaphosts> check tcp
}
Split:
redirect "smtprelay4" {
listen on $ext_addr port 25
forward to <relayhosts4> check tcp
}
redirect "smtprelay6" {
listen on $ext_v6 port 25
forward to <relayhosts6> check tcp
}
Does it depend on whether it’s a relay or redirect?
My pf rules end looking like this for the redirects:
anchor "ldap" all {
pass in quick on rdomain 0 inet6 proto tcp from any to “ip6 addr" port = 389 flags S/SA keep state (tcp.established 600) rdr-to <ldap> port 389 round-robin
pass in quick on rdomain 0 inet proto tcp from any to “ip4 addr" port = 389 flags S/SA keep state (tcp.established 600) rdr-to <ldap> port 389 round-robin
}
with the <ldap> table containing both the ip4 and ip6 address.
Thanks!
Scott
I’m setting up Relayd for a few services in my lab as a test bed and couldn’t find answers in the docs on expected behavior.
Is it better/worse/no difference to split ip4 from ip6 redirects and relays:
Combined:
redirect "ldap" {
listen on $ext_addr port 389
listen on $ext_v6 port 389
forward to <ldaphosts> check tcp
}
Split:
redirect "smtprelay4" {
listen on $ext_addr port 25
forward to <relayhosts4> check tcp
}
redirect "smtprelay6" {
listen on $ext_v6 port 25
forward to <relayhosts6> check tcp
}
Does it depend on whether it’s a relay or redirect?
My pf rules end looking like this for the redirects:
anchor "ldap" all {
pass in quick on rdomain 0 inet6 proto tcp from any to “ip6 addr" port = 389 flags S/SA keep state (tcp.established 600) rdr-to <ldap> port 389 round-robin
pass in quick on rdomain 0 inet proto tcp from any to “ip4 addr" port = 389 flags S/SA keep state (tcp.established 600) rdr-to <ldap> port 389 round-robin
}
with the <ldap> table containing both the ip4 and ip6 address.
Thanks!
Scott