OpenBSD relayd
I've been using OpenBSD 5.7 as my network router for a while, and I'm always impressed by the tools avaliable.
Instead of using direct ipv6 forwarding, or NAT port forwards for services, I've found it a lot easier to use the OpenBSD relayd software to listen on my ingress port, then to relay the traffic in. Additionally, this allows relayd to listen on ipv4 and ipv6 and to rewrite connections to the backend to be purely ipv6.
This helps to keep my pf.conf small and clean, and just focussed on security and inter-vlan / vrf traffic.
The only changes to pf.conf needed are:
anchor "relayd/*" rtable 0
The relayd.conf man page is fantastic and detailed. Read through it for help, but my basic config is:
:
ext_addr="ipv4"
ext_addr6="ipv6"
smtp_port="25"
smtp_addr="2001:db8:0::2"
table <smtp> { $smtp_addr }
protocol "tcp_service" {
tcp { nodelay, socket buffer 65536 }
}
relay "smtp_ext_forwarder" {
listen on $ext_addr port $smtp_port
listen on $ext_addr6 port $smtp_port
protocol "tcp_service"
forward to <smtp> port $smtp_port check tcp
}
That's it! Additionally, a great benefit is that when the SMTP server goes away, the check tcp will notice the server is down and drop the service. This means that you won't have external network traffic able to poke your boxes when services are down or have been re-iped and someone forgets to disable the load balancer configs.
This also gives me lots of visibility into the service and connected hosts:
relayctl show sum
Id Type Name Avlblty Status
1 relay smtp_ext_forwarder active
1 table smtp:25 active (1 hosts)
1 host 2001:db8:0::2 99.97% up
relayctl show sessions
session 0:53840 X.X.X.X:3769 -> 2001:db8:0::2:25 RUNNING
age 00:00:01, idle 00:00:01, relay 1, pid 19574
So relayd has simplified my router configuration for external services and allows me to see and migrate services internally without fuss of my external configuration.