From owner-freebsd-pf@FreeBSD.ORG Tue Jan 13 14:51:06 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 099A61065672 for ; Tue, 13 Jan 2009 14:51:06 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.177]) by mx1.freebsd.org (Postfix) with ESMTP id 8D7F48FC20 for ; Tue, 13 Jan 2009 14:51:05 +0000 (UTC) (envelope-from max@love2party.net) Received: from vampire.homelinux.org (dslb-088-066-001-114.pools.arcor-ip.net [88.66.1.114]) by mrelayeu.kundenserver.de (node=mrelayeu8) with ESMTP (Nemesis) id 0ML31I-1LMkbg06AL-0003Ef; Tue, 13 Jan 2009 15:51:04 +0100 Received: (qmail 94204 invoked from network); 13 Jan 2009 14:51:03 -0000 Received: from fbsd8.laiers.local (192.168.4.151) by mx.laiers.local with SMTP; 13 Jan 2009 14:51:03 -0000 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Tue, 13 Jan 2009 15:51:02 +0100 User-Agent: KMail/1.10.1 (FreeBSD/8.0-CURRENT; KDE/4.1.1; i386; ; ) References: In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200901131551.03193.max@love2party.net> X-Provags-ID: V01U2FsdGVkX19Zi1HcqC2Sdr8egj15pxvX/71ac+7Uo6DmLwI x/gEirQR+SKsik+gTLYZwhxzboTGIibG0XtJ7egSoRXao1p1iw yjKFrzbQ1B7gqKsnxV+SQ== Cc: Subject: Re: rdr pass rule X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Jan 2009 14:51:06 -0000 On Tuesday 13 January 2009 02:14:50 Mitar wrote: > Hi! > > I have a system where my daemon is running on a public IP on a high > port (so that it does not need root privileges, and it is binded to a > public IP as it runs in a jail) and I would like to translate it to a > lower port. I would like that just this lower port is publicly > accessible. This can be done with: > > rdr pass on $int_untrust proto tcp from any to $addr_svc port $svc_ext > -> $addr_svc port $svc_int > > This makes only $svc_ext port accessible as $svc_int port is closed > (not opened) for traffic. > > But I would like to assign this traffic to a queue and thus I cannot > use pass option. I wanted to create a rdr rule without pass option and > a separate pass rule later on. But the problem is that, as far as I > understand, pass rules are applied after rdr, so I can set them only > on an internal port (to which I am translating public port). But then > the question is how can I open this internal port so that it is not > opened to a public, only to a traffic coming through a rdr rule? > > Is there a general way how one can transcribe rdr pass option to a > pass rule which would behave in the same way as rdr pass? The simplest way off the top of my head: Use a "rdr ... tag"-rule and "pass ... tagged" later on. -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News