From owner-freebsd-pf@FreeBSD.ORG Tue Jan 13 01:37:11 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 319DC1065670 for ; Tue, 13 Jan 2009 01:37:11 +0000 (UTC) (envelope-from mmitar@gmail.com) Received: from fg-out-1718.google.com (fg-out-1718.google.com [72.14.220.152]) by mx1.freebsd.org (Postfix) with ESMTP id B8E5C8FC12 for ; Tue, 13 Jan 2009 01:37:10 +0000 (UTC) (envelope-from mmitar@gmail.com) Received: by fg-out-1718.google.com with SMTP id l26so3854293fgb.35 for ; Mon, 12 Jan 2009 17:37:09 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:mime-version:content-type:content-transfer-encoding :content-disposition; bh=aKg0X7AvkChp42nndhcUy+K6x8G4CqpqCWToc9NzlBE=; b=erIPm1DEcnaoUSDq6pqV5b+cVtTNICiS8ZKbsjqBzN5/yJye8ETUV1rrzbHzZ9F2sn rm4xp5/3Wfj/1ks0k1KICY38xpskKFx1y7sehHZgFH/Qt7IXOdIpyC3Dm1jailz+5z2S 4MI9Sjq6ogJUMhZgSpY4f71AD5VTseAkONgFI= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:mime-version:content-type :content-transfer-encoding:content-disposition; b=x2f4R/9pwP3nrZaSM5DzyHq2izvdou8wY4eQ5PZHgrBdTrXY4CwyxHDcdrHRhtFhui BsroBTwuxG3/a9HptZCZOJmlVZItjZIv+5InAA3pktTQ9+/q3+x8xUjuzsBIrXJ9j+X8 0GC6Pj8o0nUXQDzYktd/LIUFmbVN+DJInfXUA= Received: by 10.86.84.5 with SMTP id h5mr17203295fgb.10.1231809290258; Mon, 12 Jan 2009 17:14:50 -0800 (PST) Received: by 10.86.66.9 with HTTP; Mon, 12 Jan 2009 17:14:50 -0800 (PST) Message-ID: Date: Tue, 13 Jan 2009 02:14:50 +0100 From: Mitar To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: rdr pass rule X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Jan 2009 01:37:11 -0000 Hi! I have a system where my daemon is running on a public IP on a high port (so that it does not need root privileges, and it is binded to a public IP as it runs in a jail) and I would like to translate it to a lower port. I would like that just this lower port is publicly accessible. This can be done with: rdr pass on $int_untrust proto tcp from any to $addr_svc port $svc_ext -> $addr_svc port $svc_int This makes only $svc_ext port accessible as $svc_int port is closed (not opened) for traffic. But I would like to assign this traffic to a queue and thus I cannot use pass option. I wanted to create a rdr rule without pass option and a separate pass rule later on. But the problem is that, as far as I understand, pass rules are applied after rdr, so I can set them only on an internal port (to which I am translating public port). But then the question is how can I open this internal port so that it is not opened to a public, only to a traffic coming through a rdr rule? Is there a general way how one can transcribe rdr pass option to a pass rule which would behave in the same way as rdr pass? Mitar