Date: Thu, 15 Sep 2005 15:51:10 +0200 From: Max Laier <max@love2party.net> To: freebsd-pf@freebsd.org Cc: Greg Hennessy <Greg.Hennessy@nviz.net>, Brian Candler <B.Candler@pobox.com> Subject: Re: Using 'rdr' on outbound connections Message-ID: <200509151551.24419.max@love2party.net> In-Reply-To: <20050915123654.GA1315@uk.tiscali.com> References: <20050915120749.GA1235@uk.tiscali.com> <20050915121619.68C874D@gw2.local.net> <20050915123654.GA1315@uk.tiscali.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--nextPart1351832.VQMZgofG8d Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Thursday 15 September 2005 14:36, Brian Candler wrote: > On Thu, Sep 15, 2005 at 01:16:19PM +0100, Greg Hennessy wrote: > > It could do, > > > > Make the 1st line of the policy > > > > block log all > > > > > > And see what it catches. > > /etc/pf.conf now: > rdr pass proto tcp from any to any port 25 -> 127.0.0.1 port 25 > rdr pass on lo0 proto tcp from any to any port 25 -> 127.0.0.1 port 25 > rdr pass on fxp0 proto tcp from any to any port 25 -> 127.0.0.1 port 25 > block log all > > Not surprisingly, it blackholes everything. > > # telnet -N 147.28.0.39 25 > Trying 147.28.0.39... > telnet: connect to address 147.28.0.39: Operation not permitted > telnet: Unable to connect to remote host > > # tcpdump -r /var/log/pflog > > just shows: > > 13:26:09.426570 IP bloodhound.noc.clara.net.57393 > rip.psg.com.smtp: S > 360892497:360892497(0) win 65535 <mss > 1460,nop,nop,sackOK,nop,wscale1,nop,nop,timestamp 9750257 0> > > (that's it; no RST, no ICMP ADMIN-PROHIBITED) > > I'm coming to the conclusion that 'rdr' acts on an "inbound" interface, > i.e. packets arriving at the kernel, and locally-originated packets don't > match any interface; or something like that. That is correct. RDR-rules are only applied to inbound traffic as displaye= d=20 here: http://mniam.net/pf/pf.png To work around this you can install a=20 route-to rule to loop the packet: pass out route-to (lo0 127.0.0.1) proto tcp from any to any port 25 This will re-loop the packet, pf will see it as inbound and thus apply the= =20 redirection. In order to get correct ident replys you need to do more work, I am afraid.= =20 There is oidentd (security/oidentd) which has some functionality to support= =20 NAT in OpenBSD - it might be able to port this over ... > But I was hoping there would be someone on the list who has a reasonably > deep knowledge of the 'pf' code and could explain whether what I want to = do > is not possible, or if it is, how to do it. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1351832.VQMZgofG8d Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQBDKXxcXyyEoT62BG0RAuEnAJ91mX8JLDlLjdjMWq0fZuukw31yPwCfcxcB vyzgIzgSNPvO7noUCrDdam0= =iw1s -----END PGP SIGNATURE----- --nextPart1351832.VQMZgofG8d--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200509151551.24419.max>