Date: Thu, 15 Sep 2005 13:36:54 +0100 From: Brian Candler <B.Candler@pobox.com> To: Greg Hennessy <Greg.Hennessy@nviz.net> Cc: freebsd-pf@freebsd.org Subject: Re: Using 'rdr' on outbound connections Message-ID: <20050915123654.GA1315@uk.tiscali.com> In-Reply-To: <20050915121619.68C874D@gw2.local.net> References: <20050915120749.GA1235@uk.tiscali.com> <20050915121619.68C874D@gw2.local.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Sep 15, 2005 at 01:16:19PM +0100, Greg Hennessy wrote: > It could do, > > Make the 1st line of the policy > > block log all > > > And see what it catches. /etc/pf.conf now: rdr pass proto tcp from any to any port 25 -> 127.0.0.1 port 25 rdr pass on lo0 proto tcp from any to any port 25 -> 127.0.0.1 port 25 rdr pass on fxp0 proto tcp from any to any port 25 -> 127.0.0.1 port 25 block log all Not surprisingly, it blackholes everything. # telnet -N 147.28.0.39 25 Trying 147.28.0.39... telnet: connect to address 147.28.0.39: Operation not permitted telnet: Unable to connect to remote host # tcpdump -r /var/log/pflog just shows: 13:26:09.426570 IP bloodhound.noc.clara.net.57393 > rip.psg.com.smtp: S 360892497:360892497(0) win 65535 <mss 1460,nop,nop,sackOK,nop,wscale1,nop,nop,timestamp 9750257 0> (that's it; no RST, no ICMP ADMIN-PROHIBITED) I'm coming to the conclusion that 'rdr' acts on an "inbound" interface, i.e. packets arriving at the kernel, and locally-originated packets don't match any interface; or something like that. But I was hoping there would be someone on the list who has a reasonably deep knowledge of the 'pf' code and could explain whether what I want to do is not possible, or if it is, how to do it. Thanks, Brian.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050915123654.GA1315>