Date: Tue, 13 Jan 2009 02:14:50 +0100 From: Mitar <mmitar@gmail.com> To: freebsd-pf@freebsd.org Subject: rdr pass rule Message-ID: <f63c4b2d0901121714t452d2b6ftc3ca08c7c08b6ad0@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Hi! I have a system where my daemon is running on a public IP on a high port (so that it does not need root privileges, and it is binded to a public IP as it runs in a jail) and I would like to translate it to a lower port. I would like that just this lower port is publicly accessible. This can be done with: rdr pass on $int_untrust proto tcp from any to $addr_svc port $svc_ext -> $addr_svc port $svc_int This makes only $svc_ext port accessible as $svc_int port is closed (not opened) for traffic. But I would like to assign this traffic to a queue and thus I cannot use pass option. I wanted to create a rdr rule without pass option and a separate pass rule later on. But the problem is that, as far as I understand, pass rules are applied after rdr, so I can set them only on an internal port (to which I am translating public port). But then the question is how can I open this internal port so that it is not opened to a public, only to a traffic coming through a rdr rule? Is there a general way how one can transcribe rdr pass option to a pass rule which would behave in the same way as rdr pass? Mitar
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?f63c4b2d0901121714t452d2b6ftc3ca08c7c08b6ad0>