From owner-freebsd-pf@FreeBSD.ORG Mon Sep 12 11:02:08 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DA3C416A41F for ; Mon, 12 Sep 2005 11:02:08 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9260443D46 for ; Mon, 12 Sep 2005 11:02:08 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j8CB28pP025524 for ; Mon, 12 Sep 2005 11:02:08 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j8CB27Qf025518 for freebsd-pf@freebsd.org; Mon, 12 Sep 2005 11:02:07 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 12 Sep 2005 11:02:07 GMT Message-Id: <200509121102.j8CB27Qf025518@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Sep 2005 11:02:09 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2005/06/15] kern/82271 pf [pf] cbq scheduler cause bad latency 1 problem total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2005/05/15] conf/81042 pf [patch] /etc/pf.os doesn't match FreeBSD 1 problem total. From owner-freebsd-pf@FreeBSD.ORG Wed Sep 14 09:38:36 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2C0AD16A41F for ; Wed, 14 Sep 2005 09:38:36 +0000 (GMT) (envelope-from isy@infoweapons.com) Received: from ws2.infoweapons.com (ws2.infoweapons.com [203.177.161.179]) by mx1.FreeBSD.org (Postfix) with ESMTP id 884DA43D46 for ; Wed, 14 Sep 2005 09:38:35 +0000 (GMT) (envelope-from isy@infoweapons.com) Received: from [10.3.2.25] ([10.3.2.25]) by ws2.infoweapons.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.1830); Wed, 14 Sep 2005 17:38:33 +0800 Message-ID: <4327EF93.7060600@infoweapons.com> Date: Wed, 14 Sep 2005 17:38:27 +0800 From: "Ivan R. Sy Jr." User-Agent: Mozilla Thunderbird 1.0.6 (X11/20050914) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 14 Sep 2005 09:38:33.0785 (UTC) FILETIME=[12E9BA90:01C5B910] Subject: IPv6 CARP with preempt not working X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Sep 2005 09:38:36 -0000 Hi All! have anyone of you guys found a suitable solution/lead to this issue? if you enable a CARP interface with ipv4 and ipv6 address it would work pretty neat. carp0: flags=41 mtu 1500 inet 10.3.2.30 netmask 0xff000000 inet6 2001:abc:4002::ff30 prefixlen 64 carp: MASTER vhid 1 advbase 1 advskew 1 but with net.inet.carp.preempt=1 IPv6 won't work. perhaps there are no inet6 sys controls? any help or advise is highly appreciated. THanks From owner-freebsd-pf@FreeBSD.ORG Thu Sep 15 09:07:53 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4B5D616A41F for ; Thu, 15 Sep 2005 09:07:53 +0000 (GMT) (envelope-from leikand@gmail.com) Received: from zproxy.gmail.com (zproxy.gmail.com [64.233.162.204]) by mx1.FreeBSD.org (Postfix) with ESMTP id E315F43D45 for ; Thu, 15 Sep 2005 09:07:52 +0000 (GMT) (envelope-from leikand@gmail.com) Received: by zproxy.gmail.com with SMTP id z31so199080nzd for ; Thu, 15 Sep 2005 02:07:52 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=E/BmkkZobyuRHo1Vj3Jy8h3fucrXE7G79h2hu4M8pwhR/DHLb5Mw6gywmZboI+1MXTng5YeYFM5EQ7tGjB9hIBhsMWdbjsg89XJ76FvqmLPiFyaX0OjzbtCgudh0Siz6V+ORAr+be12VESKfbOelxoTjG3sRdrkmO0kUq234IQY= Received: by 10.36.5.11 with SMTP id 11mr2103454nze; Thu, 15 Sep 2005 02:07:52 -0700 (PDT) Received: by 10.36.250.62 with HTTP; Thu, 15 Sep 2005 02:07:52 -0700 (PDT) Message-ID: Date: Thu, 15 Sep 2005 14:07:52 +0500 From: "Andrew A. Leikand" To: freebsd-pf@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Subject: ipf bimap analogue in pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: leikand@gmail.com List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Sep 2005 09:07:53 -0000 Dear all, I've got a pf-powered firewall FBSD 5.4 which does nating and filtering= . I'd want to add one more ip addrress on the external interface and redirect all kind of incoming ip traffic to the internal host. I used to do it with ipf rule "bimap ext-interface x.x.x.a/32 -> y.y.y.y/32= ". Is it possible to achieve this with pf ? --- WBR Andrew From owner-freebsd-pf@FreeBSD.ORG Thu Sep 15 09:11:17 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CD9B616A420 for ; Thu, 15 Sep 2005 09:11:17 +0000 (GMT) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.188]) by mx1.FreeBSD.org (Postfix) with ESMTP id B1A7B43D4C for ; Thu, 15 Sep 2005 09:11:15 +0000 (GMT) (envelope-from max@love2party.net) Received: from p54A3FADE.dip.t-dialin.net [84.163.250.222] (helo=donor.laier.local) by mrelayeu.kundenserver.de with ESMTP (Nemesis), id 0MKwh2-1EFplv2Rnn-0000Fi; Thu, 15 Sep 2005 11:11:11 +0200 From: Max Laier To: freebsd-pf@freebsd.org, leikand@gmail.com Date: Thu, 15 Sep 2005 11:11:35 +0200 User-Agent: KMail/1.8.2 References: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart2789811.yggHekWffr"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200509151111.46602.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Cc: Subject: Re: ipf bimap analogue in pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Sep 2005 09:11:17 -0000 --nextPart2789811.yggHekWffr Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Thursday 15 September 2005 11:07, Andrew A. Leikand wrote: > Dear all, > I've got a pf-powered firewall FBSD 5.4 which does nating and > filtering. I'd want to add one more ip addrress on the external interface > and redirect all kind of incoming ip traffic to the internal host. > I used to do it with ipf rule "bimap ext-interface x.x.x.a/32 -> > y.y.y.y/32". > > Is it possible to achieve this with pf ? It's called "binat" in the case of pf. See pf.conf(5)::TRANSLATION for mor= e=20 details. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart2789811.yggHekWffr Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQBDKTrSXyyEoT62BG0RAqsxAJ9zfZxGj53yrzcYMWaac7s3Wrew2wCdF3wE dVs+y4raySMsGHW8NHDxZxU= =FRF+ -----END PGP SIGNATURE----- --nextPart2789811.yggHekWffr-- From owner-freebsd-pf@FreeBSD.ORG Thu Sep 15 09:20:57 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 31B3516A41F for ; Thu, 15 Sep 2005 09:20:57 +0000 (GMT) (envelope-from leikand@gmail.com) Received: from zproxy.gmail.com (zproxy.gmail.com [64.233.162.193]) by mx1.FreeBSD.org (Postfix) with ESMTP id BEE1E43D48 for ; Thu, 15 Sep 2005 09:20:56 +0000 (GMT) (envelope-from leikand@gmail.com) Received: by zproxy.gmail.com with SMTP id z31so201473nzd for ; Thu, 15 Sep 2005 02:20:56 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=s35rmWVtxDA7WRNUNeAI/KgoFPYphYdxiSad+csLT+K8KKCckXWTkZN7d9z70TaB45JHx5ACRNqoJ0aBG4pfIm/ab/J2TVem1Ve19VGKVmP/+41MXaRoCYMh48V2Ezj8FcunvOqPY32B6G5yzypkNHMYkqPXjQOvj6Clq8Wso60= Received: by 10.36.56.1 with SMTP id e1mr2103049nza; Thu, 15 Sep 2005 02:20:56 -0700 (PDT) Received: by 10.36.250.62 with HTTP; Thu, 15 Sep 2005 02:20:56 -0700 (PDT) Message-ID: Date: Thu, 15 Sep 2005 14:20:56 +0500 From: "Andrew A. Leikand" To: Max Laier In-Reply-To: <200509151111.46602.max@love2party.net> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <200509151111.46602.max@love2party.net> Cc: freebsd-pf@freebsd.org Subject: Re: ipf bimap analogue in pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: leikand@gmail.com List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Sep 2005 09:20:57 -0000 Thanks a lot, Max. Sorry for my blindness ( 2005/9/15, Max Laier : > On Thursday 15 September 2005 11:07, Andrew A. Leikand wrote: > > Dear all, > > I've got a pf-powered firewall FBSD 5.4 which does nating and > > filtering. I'd want to add one more ip addrress on the external interfa= ce > > and redirect all kind of incoming ip traffic to the internal host. > > I used to do it with ipf rule "bimap ext-interface x.x.x.a/32 -> > > y.y.y.y/32". > > > > Is it possible to achieve this with pf ? >=20 > It's called "binat" in the case of pf. See pf.conf(5)::TRANSLATION for m= ore > details. >=20 > -- > /"\ Best regards, | mlaier@freebsd.org > \ / Max Laier | ICQ #67774661 > X http://pf4freebsd.love2party.net/ | mlaier@EFnet > / \ ASCII Ribbon Campaign | Against HTML Mail and News >=20 >=20 > From owner-freebsd-pf@FreeBSD.ORG Thu Sep 15 10:11:34 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4B63A16A41F for ; Thu, 15 Sep 2005 10:11:34 +0000 (GMT) (envelope-from b.candler@pobox.com) Received: from orb.pobox.com (orb.pobox.com [207.8.226.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id D586943D48 for ; Thu, 15 Sep 2005 10:11:33 +0000 (GMT) (envelope-from b.candler@pobox.com) Received: from orb (localhost [127.0.0.1]) by orb.pobox.com (Postfix) with ESMTP id CE6F0344D for ; Thu, 15 Sep 2005 06:11:54 -0400 (EDT) Received: from billdog.local.linnet.org (dsl-212-74-113-66.access.uk.tiscali.com [212.74.113.66]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by orb.sasl.smtp.pobox.com (Postfix) with ESMTP id A216987 for ; Thu, 15 Sep 2005 06:11:54 -0400 (EDT) Received: from brian by billdog.local.linnet.org with local (Exim 4.50 (FreeBSD)) id 1EFqlQ-0000EZ-H8 for freebsd-pf@freebsd.org; Thu, 15 Sep 2005 11:14:44 +0100 Date: Thu, 15 Sep 2005 11:14:44 +0100 From: Brian Candler To: freebsd-pf@freebsd.org Message-ID: <20050915101444.GA836@uk.tiscali.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.2.1i Subject: Using 'rdr' on outbound connections X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Sep 2005 10:11:34 -0000 Hello, I would like to use pf to trap all locally-originated outbound connections to port 25 on any remote host, and redirect them to a local mailserver. I tried: rdr pass proto tcp from any to any port 25 -> 127.0.0.1 port 25 but it doesn't seem to work (i.e. 'telnet mail.foo.com 25' connects as normal) Using other rdr rules, I can demonstrate rdr works if the connection originates from outside the machine, or if the connection is from the machine back to itself (e.g. telnet localhost 1234 where rdr redirects port 1234 to port 25). I just can't get connections from this machine to the outside world to be redirected. Is this correct? Is there a way to make it work the way I want? I am running FreeBSD-5.4-RELEASE. Unfortunately, for other reasons, 'ipfw' and 'ipf' won't work for me either: (1) with ipfw and 'fwd 127.0.0.1,25' I can happily redirect all outbound port 25 connections to the local SMTP server: ipfw -f flush ipfw add allow ip from any to any uid mailnull ipfw add fwd 127.0.0.1,25 tcp from any to any 25 ipfw add allow ip from any to any However, the local SMTP server is unable to use ident (RFC1413) to determine the userid of the person originating the connection, probably because of the way ipfw fwd messes with sockets so that the remote IP is treated as local. Unfortunately, I need ident for the SMTP server to be able to identify the sender to perform per-user accounting / rate limiting. (2) with ipf, there is no 'user' or 'uid' matching, and I need this so that the SMTP server itself is allowed to make outbound SMTP connections, as shown in the ipfw rules above. Because of this, I've not tested ipf to see if it can actually redirect the connections. (I thought of putting the untrusted users in a jail(8) and having the trusted SMTP server outside, bound to a different IP. But at the moment the untrusted users are locked up using Apache mod_chroot which doesn't know about jails; I would have to write a mod_jail) Any suggestions for how to solve this problem gratefully received... Thanks, Brian Candler. From owner-freebsd-pf@FreeBSD.ORG Thu Sep 15 10:42:21 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D4EF016A41F for ; Thu, 15 Sep 2005 10:42:21 +0000 (GMT) (envelope-from Greg.Hennessy@nviz.net) Received: from smtp.nildram.co.uk (smtp.nildram.co.uk [195.112.4.54]) by mx1.FreeBSD.org (Postfix) with ESMTP id 69E1F43D48 for ; Thu, 15 Sep 2005 10:42:21 +0000 (GMT) (envelope-from Greg.Hennessy@nviz.net) Received: from gw2.local.net (unknown [62.3.210.251]) by smtp.nildram.co.uk (Postfix) with ESMTP id E1F12252B33 for ; Thu, 15 Sep 2005 11:42:17 +0100 (BST) From: "Greg Hennessy" To: "'Brian Candler'" , Date: Thu, 15 Sep 2005 11:42:18 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.6353 Thread-Index: AcW54Jcs/J8Lp3FRTRyNo3/oiJeUXAAASSyA X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830 In-Reply-To: <20050915101444.GA836@uk.tiscali.com> Message-Id: <20050915104218.54C684D@gw2.local.net> Cc: Subject: RE: Using 'rdr' on outbound connections X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Sep 2005 10:42:22 -0000 > -----Original Message----- > From: owner-freebsd-pf@freebsd.org > [mailto:owner-freebsd-pf@freebsd.org] On Behalf Of Brian Candler > Sent: 15 September 2005 11:15 > To: freebsd-pf@freebsd.org > Subject: Using 'rdr' on outbound connections > > Hello, > > I would like to use pf to trap all locally-originated > outbound connections to port 25 on any remote host, and > redirect them to a local mailserver. > > I tried: > > rdr pass proto tcp from any to any port 25 -> 127.0.0.1 port 25 > Try tying that rdr to the inside interface. This for example ~ # grep -i rdr /etc/pf.conf | grep 3128 rdr pass on $Int proto tcp from $LAN to ! port www -> 127.0.0.1 port 3128 rdr pass on $Int proto tcp from $LAN to $Int:0 port 3128 -> 127.0.0.1 port 3128 Works fine to redirect http transparently to squid and provide inline http proxying when needed. Greg From owner-freebsd-pf@FreeBSD.ORG Thu Sep 15 11:14:12 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C6CF916A41F for ; Thu, 15 Sep 2005 11:14:12 +0000 (GMT) (envelope-from b.candler@pobox.com) Received: from orb.pobox.com (orb.pobox.com [207.8.226.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7586C43D46 for ; Thu, 15 Sep 2005 11:14:12 +0000 (GMT) (envelope-from b.candler@pobox.com) Received: from orb (localhost [127.0.0.1]) by orb.pobox.com (Postfix) with ESMTP id 8C506348D; Thu, 15 Sep 2005 07:14:33 -0400 (EDT) Received: from billdog.local.linnet.org (unknown [212.74.113.66]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by orb.sasl.smtp.pobox.com (Postfix) with ESMTP id 42DCB87; Thu, 15 Sep 2005 07:14:32 -0400 (EDT) Received: from brian by billdog.local.linnet.org with local (Exim 4.50 (FreeBSD)) id 1EFrjs-0000IA-RA; Thu, 15 Sep 2005 12:17:12 +0100 Date: Thu, 15 Sep 2005 12:17:12 +0100 From: Brian Candler To: Greg Hennessy Message-ID: <20050915111712.GA1110@uk.tiscali.com> References: <20050915101444.GA836@uk.tiscali.com> <20050915104218.54C684D@gw2.local.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20050915104218.54C684D@gw2.local.net> User-Agent: Mutt/1.4.2.1i Cc: freebsd-pf@freebsd.org Subject: Re: Using 'rdr' on outbound connections X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Sep 2005 11:14:12 -0000 On Thu, Sep 15, 2005 at 11:42:18AM +0100, Greg Hennessy wrote: > Try tying that rdr to the inside interface. Well, there isn't an "inside" interface as such. This machine has one interface, fxp0, and I'm talking about connections originating from the local machine to the outside world. (The application is to trap SMTP output from CGI scripts running on a webserver) Anyway, I've just tried rdr pass proto tcp from any to any port 25 -> 127.0.0.1 port 25 rdr pass on lo0 proto tcp from any to any port 25 -> 127.0.0.1 port 25 rdr pass on fxp0 proto tcp from any to any port 25 -> 127.0.0.1 port 25 and still no redirection takes place: # telnet psg.com 25 Trying 147.28.0.62... Connected to psg.com. Escape character is '^]'. 220 psg.com ESMTP Exim 4.50 Thu, 15 Sep 2005 11:12:56 +0000 Regards, Brian. From owner-freebsd-pf@FreeBSD.ORG Thu Sep 15 11:39:23 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0A20C16A41F for ; Thu, 15 Sep 2005 11:39:23 +0000 (GMT) (envelope-from Greg.Hennessy@nviz.net) Received: from smtp.nildram.co.uk (smtp.nildram.co.uk [195.112.4.54]) by mx1.FreeBSD.org (Postfix) with ESMTP id A719C43D45 for ; Thu, 15 Sep 2005 11:39:20 +0000 (GMT) (envelope-from Greg.Hennessy@nviz.net) Received: from gw2.local.net (unknown [62.3.210.251]) by smtp.nildram.co.uk (Postfix) with ESMTP id 580A724F27B for ; Thu, 15 Sep 2005 12:39:17 +0100 (BST) From: "Greg Hennessy" To: "'Brian Candler'" Date: Thu, 15 Sep 2005 12:39:18 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.6353 Thread-Index: AcW55vOSlnQAwR+yQvelcUrMP6yQJAAAugIg In-Reply-To: <20050915111712.GA1110@uk.tiscali.com> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830 Message-Id: <20050915113918.173F24D@gw2.local.net> Cc: freebsd-pf@freebsd.org Subject: RE: Using 'rdr' on outbound connections X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Sep 2005 11:39:23 -0000 > rdr pass proto tcp from any to any port 25 -> 127.0.0.1 port > 25 rdr pass on lo0 proto tcp from any to any port 25 -> > 127.0.0.1 port 25 rdr pass on fxp0 proto tcp from any to any > port 25 -> 127.0.0.1 port 25 Have you tried rdr on its own combined with an explicit pass rule in your policy ? Greg Greg From owner-freebsd-pf@FreeBSD.ORG Thu Sep 15 12:04:39 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C475216A41F for ; Thu, 15 Sep 2005 12:04:39 +0000 (GMT) (envelope-from b.candler@pobox.com) Received: from orb.pobox.com (orb.pobox.com [207.8.226.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2FE7843D4C for ; Thu, 15 Sep 2005 12:04:39 +0000 (GMT) (envelope-from b.candler@pobox.com) Received: from orb (localhost [127.0.0.1]) by orb.pobox.com (Postfix) with ESMTP id 4B2BD3229; Thu, 15 Sep 2005 08:05:00 -0400 (EDT) Received: from billdog.local.linnet.org (dsl-212-74-113-66.access.uk.tiscali.com [212.74.113.66]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by orb.sasl.smtp.pobox.com (Postfix) with ESMTP id 00B1387; Thu, 15 Sep 2005 08:04:58 -0400 (EDT) Received: from brian by billdog.local.linnet.org with local (Exim 4.50 (FreeBSD)) id 1EFsWr-0000KB-Ue; Thu, 15 Sep 2005 13:07:49 +0100 Date: Thu, 15 Sep 2005 13:07:49 +0100 From: Brian Candler To: Greg Hennessy Message-ID: <20050915120749.GA1235@uk.tiscali.com> References: <20050915111712.GA1110@uk.tiscali.com> <20050915113918.173F24D@gw2.local.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20050915113918.173F24D@gw2.local.net> User-Agent: Mutt/1.4.2.1i Cc: freebsd-pf@freebsd.org Subject: Re: Using 'rdr' on outbound connections X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Sep 2005 12:04:39 -0000 On Thu, Sep 15, 2005 at 12:39:18PM +0100, Greg Hennessy wrote: > > > rdr pass proto tcp from any to any port 25 -> 127.0.0.1 port > > 25 rdr pass on lo0 proto tcp from any to any port 25 -> > > 127.0.0.1 port 25 rdr pass on fxp0 proto tcp from any to any > > port 25 -> 127.0.0.1 port 25 > > Have you tried rdr on its own combined with an explicit pass rule in your > policy ? I tried 'rdr' by itself originally, yes. There is no extra policy at all in this ruleset; that's my entire /etc/pf.conf. Since filter policy defaults to 'pass', then it shouldn't make any different, should it? I appreciate you making suggestions, but perhaps if you have a spare machine available, you could try replicating the problem? It's different from your squid setup, where traffic originates from another client and passes through your FreeBSD router. As I said before, I've demonstrated to myself that rdr works when the traffic is inbound from another machine. Regards, Brian. From owner-freebsd-pf@FreeBSD.ORG Thu Sep 15 12:16:22 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 810C516A43D for ; Thu, 15 Sep 2005 12:16:22 +0000 (GMT) (envelope-from Greg.Hennessy@nviz.net) Received: from smtp.nildram.co.uk (smtp.nildram.co.uk [195.112.4.54]) by mx1.FreeBSD.org (Postfix) with ESMTP id B963C43D49 for ; Thu, 15 Sep 2005 12:16:21 +0000 (GMT) (envelope-from Greg.Hennessy@nviz.net) Received: from gw2.local.net (unknown [62.3.210.251]) by smtp.nildram.co.uk (Postfix) with ESMTP id 5F7E625209F for ; Thu, 15 Sep 2005 13:16:18 +0100 (BST) From: "Greg Hennessy" To: "'Brian Candler'" Date: Thu, 15 Sep 2005 13:16:19 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.6353 Thread-Index: AcW57a2MuRVM7/MvSjSocTs6qRXWvwAAPwCg In-Reply-To: <20050915120749.GA1235@uk.tiscali.com> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830 Message-Id: <20050915121619.68C874D@gw2.local.net> Cc: freebsd-pf@freebsd.org Subject: RE: Using 'rdr' on outbound connections X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Sep 2005 12:16:22 -0000 > > I tried 'rdr' by itself originally, yes. There is no extra > policy at all in this ruleset; that's my entire /etc/pf.conf. > Since filter policy defaults to 'pass', then it shouldn't > make any different, should it? It could do, Make the 1st line of the policy block log all And see what it catches. > > I appreciate you making suggestions, but perhaps if you have > a spare machine available, you could try replicating the > problem? Nothing spare I'm afraid. > It's different from your squid setup, where traffic > originates from another client and passes through your > FreeBSD router. As I said before, I've demonstrated to myself > that rdr works when the traffic is inbound from another machine. Code up a very specific pass log quick rule with a default policy of block. If the pass rule doesn't catch it, the block log all should tell you what the specifics are. Greg From owner-freebsd-pf@FreeBSD.ORG Thu Sep 15 12:33:44 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B329716A41F for ; Thu, 15 Sep 2005 12:33:44 +0000 (GMT) (envelope-from b.candler@pobox.com) Received: from orb.pobox.com (orb.pobox.com [207.8.226.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5E03943D48 for ; Thu, 15 Sep 2005 12:33:44 +0000 (GMT) (envelope-from b.candler@pobox.com) Received: from orb (localhost [127.0.0.1]) by orb.pobox.com (Postfix) with ESMTP id 74B22348D; Thu, 15 Sep 2005 08:34:05 -0400 (EDT) Received: from billdog.local.linnet.org (dsl-212-74-113-66.access.uk.tiscali.com [212.74.113.66]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by orb.sasl.smtp.pobox.com (Postfix) with ESMTP id F264F8A; Thu, 15 Sep 2005 08:34:03 -0400 (EDT) Received: from brian by billdog.local.linnet.org with local (Exim 4.50 (FreeBSD)) id 1EFsz0-0000Lj-Ng; Thu, 15 Sep 2005 13:36:54 +0100 Date: Thu, 15 Sep 2005 13:36:54 +0100 From: Brian Candler To: Greg Hennessy Message-ID: <20050915123654.GA1315@uk.tiscali.com> References: <20050915120749.GA1235@uk.tiscali.com> <20050915121619.68C874D@gw2.local.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20050915121619.68C874D@gw2.local.net> User-Agent: Mutt/1.4.2.1i Cc: freebsd-pf@freebsd.org Subject: Re: Using 'rdr' on outbound connections X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Sep 2005 12:33:44 -0000 On Thu, Sep 15, 2005 at 01:16:19PM +0100, Greg Hennessy wrote: > It could do, > > Make the 1st line of the policy > > block log all > > > And see what it catches. /etc/pf.conf now: rdr pass proto tcp from any to any port 25 -> 127.0.0.1 port 25 rdr pass on lo0 proto tcp from any to any port 25 -> 127.0.0.1 port 25 rdr pass on fxp0 proto tcp from any to any port 25 -> 127.0.0.1 port 25 block log all Not surprisingly, it blackholes everything. # telnet -N 147.28.0.39 25 Trying 147.28.0.39... telnet: connect to address 147.28.0.39: Operation not permitted telnet: Unable to connect to remote host # tcpdump -r /var/log/pflog just shows: 13:26:09.426570 IP bloodhound.noc.clara.net.57393 > rip.psg.com.smtp: S 360892497:360892497(0) win 65535 (that's it; no RST, no ICMP ADMIN-PROHIBITED) I'm coming to the conclusion that 'rdr' acts on an "inbound" interface, i.e. packets arriving at the kernel, and locally-originated packets don't match any interface; or something like that. But I was hoping there would be someone on the list who has a reasonably deep knowledge of the 'pf' code and could explain whether what I want to do is not possible, or if it is, how to do it. Thanks, Brian. From owner-freebsd-pf@FreeBSD.ORG Thu Sep 15 13:09:30 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 304B616A41F for ; Thu, 15 Sep 2005 13:09:30 +0000 (GMT) (envelope-from Greg.Hennessy@nviz.net) Received: from smtp.nildram.co.uk (smtp.nildram.co.uk [195.112.4.54]) by mx1.FreeBSD.org (Postfix) with ESMTP id C85D643D45 for ; Thu, 15 Sep 2005 13:09:29 +0000 (GMT) (envelope-from Greg.Hennessy@nviz.net) Received: from gw2.local.net (unknown [62.3.210.251]) by smtp.nildram.co.uk (Postfix) with ESMTP id 54EC124F281 for ; Thu, 15 Sep 2005 14:09:26 +0100 (BST) From: "Greg Hennessy" To: "'Brian Candler'" Date: Thu, 15 Sep 2005 14:09:27 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.6353 In-Reply-To: <20050915123654.GA1315@uk.tiscali.com> Thread-Index: AcW58b0OjvVxGtx8S1u5hY9kVps+ngAAF3Gg X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830 Message-Id: <20050915130927.4A1584D@gw2.local.net> Cc: freebsd-pf@freebsd.org Subject: RE: Using 'rdr' on outbound connections X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Sep 2005 13:09:30 -0000 > Not surprisingly, it blackholes everything. The joys of a default deny. Add a pass all on lo0 keep state Just keep things listening there sweet. > > # telnet -N 147.28.0.39 25 > Trying 147.28.0.39... > telnet: connect to address 147.28.0.39: Operation not permitted > telnet: Unable to connect to remote host > > # tcpdump -r /var/log/pflog > > just shows: > > 13:26:09.426570 IP bloodhound.noc.clara.net.57393 > > rip.psg.com.smtp: S 360892497:360892497(0) win 65535 1460,nop,nop,sackOK,nop,wscale1,nop,nop,timestamp 9750257 0> > > (that's it; no RST, no ICMP ADMIN-PROHIBITED) You need to set block-policy return For that to happen. Now that it's caught it and we know what the specifics are. Try # assuming fxp0 and bloodhound.noc.clara.net are one and the same. rdr pass on fxp0 proto tcp from fxp0 to !fxp0 port smtp -> 127.0.0.1 port smtp And see does that work. > I'm coming to the conclusion that 'rdr' acts on an "inbound" > interface, i.e. > packets arriving at the kernel, and locally-originated > packets don't match any interface; or something like that. It would be rather hard to filter on userid if that was the case. Greg From owner-freebsd-pf@FreeBSD.ORG Thu Sep 15 13:52:24 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E8EF716A41F for ; Thu, 15 Sep 2005 13:52:24 +0000 (GMT) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.186]) by mx1.FreeBSD.org (Postfix) with ESMTP id E78FA43D72 for ; Thu, 15 Sep 2005 13:52:14 +0000 (GMT) (envelope-from max@love2party.net) Received: from p54A3FADE.dip.t-dialin.net [84.163.250.222] (helo=donor.laier.local) by mrelayeu.kundenserver.de with ESMTP (Nemesis), id 0ML21M-1EFu9S0MuY-0002bT; Thu, 15 Sep 2005 15:51:46 +0200 From: Max Laier To: freebsd-pf@freebsd.org Date: Thu, 15 Sep 2005 15:51:10 +0200 User-Agent: KMail/1.8.2 References: <20050915120749.GA1235@uk.tiscali.com> <20050915121619.68C874D@gw2.local.net> <20050915123654.GA1315@uk.tiscali.com> In-Reply-To: <20050915123654.GA1315@uk.tiscali.com> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1351832.VQMZgofG8d"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200509151551.24419.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Cc: Greg Hennessy , Brian Candler Subject: Re: Using 'rdr' on outbound connections X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Sep 2005 13:52:25 -0000 --nextPart1351832.VQMZgofG8d Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Thursday 15 September 2005 14:36, Brian Candler wrote: > On Thu, Sep 15, 2005 at 01:16:19PM +0100, Greg Hennessy wrote: > > It could do, > > > > Make the 1st line of the policy > > > > block log all > > > > > > And see what it catches. > > /etc/pf.conf now: > rdr pass proto tcp from any to any port 25 -> 127.0.0.1 port 25 > rdr pass on lo0 proto tcp from any to any port 25 -> 127.0.0.1 port 25 > rdr pass on fxp0 proto tcp from any to any port 25 -> 127.0.0.1 port 25 > block log all > > Not surprisingly, it blackholes everything. > > # telnet -N 147.28.0.39 25 > Trying 147.28.0.39... > telnet: connect to address 147.28.0.39: Operation not permitted > telnet: Unable to connect to remote host > > # tcpdump -r /var/log/pflog > > just shows: > > 13:26:09.426570 IP bloodhound.noc.clara.net.57393 > rip.psg.com.smtp: S > 360892497:360892497(0) win 65535 1460,nop,nop,sackOK,nop,wscale1,nop,nop,timestamp 9750257 0> > > (that's it; no RST, no ICMP ADMIN-PROHIBITED) > > I'm coming to the conclusion that 'rdr' acts on an "inbound" interface, > i.e. packets arriving at the kernel, and locally-originated packets don't > match any interface; or something like that. That is correct. RDR-rules are only applied to inbound traffic as displaye= d=20 here: http://mniam.net/pf/pf.png To work around this you can install a=20 route-to rule to loop the packet: pass out route-to (lo0 127.0.0.1) proto tcp from any to any port 25 This will re-loop the packet, pf will see it as inbound and thus apply the= =20 redirection. In order to get correct ident replys you need to do more work, I am afraid.= =20 There is oidentd (security/oidentd) which has some functionality to support= =20 NAT in OpenBSD - it might be able to port this over ... > But I was hoping there would be someone on the list who has a reasonably > deep knowledge of the 'pf' code and could explain whether what I want to = do > is not possible, or if it is, how to do it. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1351832.VQMZgofG8d Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQBDKXxcXyyEoT62BG0RAuEnAJ91mX8JLDlLjdjMWq0fZuukw31yPwCfcxcB vyzgIzgSNPvO7noUCrDdam0= =iw1s -----END PGP SIGNATURE----- --nextPart1351832.VQMZgofG8d-- From owner-freebsd-pf@FreeBSD.ORG Thu Sep 15 13:53:39 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E1EDE16A41F for ; Thu, 15 Sep 2005 13:53:39 +0000 (GMT) (envelope-from vapcom@mail.ru) Received: from f24.mail.ru (f24.mail.ru [194.67.57.160]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8336843D46 for ; Thu, 15 Sep 2005 13:53:39 +0000 (GMT) (envelope-from vapcom@mail.ru) Received: from mail by f24.mail.ru with local id 1EFuBF-0009ch-00; Thu, 15 Sep 2005 17:53:37 +0400 Received: from [194.190.210.150] by win.mail.ru with HTTP; Thu, 15 Sep 2005 17:53:37 +0400 From: Boris Polevoy To: Brian Candler Mime-Version: 1.0 X-Mailer: mPOP Web-Mail 2.19 X-Originating-IP: 192.168.1.8 via proxy [194.190.210.150] Date: Thu, 15 Sep 2005 17:53:37 +0400 In-Reply-To: <20050915123654.GA1315@uk.tiscali.com> Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 8bit Message-Id: Cc: freebsd-pf@freebsd.org Subject: Re[2]: Using 'rdr' on outbound connections X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Boris Polevoy List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Sep 2005 13:53:40 -0000 Hello, Brain! > I'm coming to the conclusion that 'rdr' acts on an "inbound" interface, i.e. > packets arriving at the kernel, and locally-originated packets don't match > any interface; or something like that. > > But I was hoping there would be someone on the list who has a reasonably > deep knowledge of the 'pf' code and could explain whether what I want to do > is not possible, or if it is, how to do it. > RDR only works on incoming packets. This is code from pf.c: if (direction == PF_OUT) { r = pf_match_translation(pd, m, off, direction, kif, saddr, sport, daddr, dport, PF_RULESET_BINAT); if (r == NULL) r = pf_match_translation(pd, m, off, direction, kif, saddr, sport, daddr, dport, PF_RULESET_NAT); } else { r = pf_match_translation(pd, m, off, direction, kif, saddr, sport, daddr, dport, PF_RULESET_RDR); if (r == NULL) r = pf_match_translation(pd, m, off, direction, kif, saddr, sport, daddr, dport, PF_RULESET_BINAT); } As you can see, pf_match_translation(PF_RULESET_RDR) called only on PF_IN direction. Whith best regards, Boris Polevoy From owner-freebsd-pf@FreeBSD.ORG Thu Sep 15 13:55:57 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9644F16A41F for ; Thu, 15 Sep 2005 13:55:57 +0000 (GMT) (envelope-from Greg.Hennessy@nviz.net) Received: from smtp.nildram.co.uk (smtp.nildram.co.uk [195.112.4.54]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1288443D49 for ; Thu, 15 Sep 2005 13:55:57 +0000 (GMT) (envelope-from Greg.Hennessy@nviz.net) Received: from gw2.local.net (unknown [62.3.210.251]) by smtp.nildram.co.uk (Postfix) with ESMTP id 70928251AA9 for ; Thu, 15 Sep 2005 14:55:53 +0100 (BST) From: "Greg Hennessy" To: "'Max Laier'" , Date: Thu, 15 Sep 2005 14:55:54 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.6353 In-Reply-To: <200509151551.24419.max@love2party.net> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830 Thread-Index: AcW5/LM9kvMpF6j6S9ORZecxyCqaOQAAGB6Q Message-Id: <20050915135554.767714D@gw2.local.net> Cc: 'Brian Candler' Subject: RE: Using 'rdr' on outbound connections X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Sep 2005 13:55:57 -0000 > here: http://mniam.net/pf/pf.png To work around this you can > install a route-to rule to loop the packet: > > pass out route-to (lo0 127.0.0.1) proto tcp from any to any port 25 > > This will re-loop the packet, pf will see it as inbound and > thus apply the redirection. Ahh! Every day a school day :-). Thanks for the heads up Max. Greg From owner-freebsd-pf@FreeBSD.ORG Thu Sep 15 16:48:51 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4E40516A41F for ; Thu, 15 Sep 2005 16:48:51 +0000 (GMT) (envelope-from b.candler@pobox.com) Received: from leto.uk.clara.net (leto.uk.clara.net [80.168.69.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id E4B1C43D46 for ; Thu, 15 Sep 2005 16:48:50 +0000 (GMT) (envelope-from b.candler@pobox.com) Received: from bloodhound.noc.clara.net ([195.8.70.207]) by leto.uk.clara.net with esmtp (Exim 4.43) id 1EFwun-000Ntx-PI; Thu, 15 Sep 2005 17:48:49 +0100 Received: from personal by bloodhound.noc.clara.net with local (Exim 4.52 (FreeBSD)) id 1EFwuF-0009Oh-C6; Thu, 15 Sep 2005 17:48:15 +0100 Date: Thu, 15 Sep 2005 17:48:15 +0100 From: Brian Candler To: Greg Hennessy Message-ID: <20050915164815.GA33032@uk.tiscali.com> References: <200509151551.24419.max@love2party.net> <20050915135554.767714D@gw2.local.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20050915135554.767714D@gw2.local.net> User-Agent: Mutt/1.4.2.1i Cc: freebsd-pf@freebsd.org Subject: Re: Using 'rdr' on outbound connections X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Sep 2005 16:48:51 -0000 On Thu, Sep 15, 2005 at 02:55:54PM +0100, Greg Hennessy wrote: > > here: http://mniam.net/pf/pf.png To work around this you can > > install a route-to rule to loop the packet: > > > > pass out route-to (lo0 127.0.0.1) proto tcp from any to any port 25 Works nicely: rdr pass proto tcp from any to any port 25 -> 127.0.0.1 port 25 pass out route-to (lo0 127.0.0.1) proto tcp from any to any port 25 user != mailnull redirects the traffic. But as you say, the ident information is then lost (ERROR : NO-USER). It looks very strange on a tcpdump, seeing ident packets going from 127.0.0.1 to a real IP address and back again :-) But with the magic of oidentd: # /usr/local/sbin/oidentd -P 127.0.0.1 -u nobody -g nogroup and hey presto it works. Many thanks! Regards, Brian.