Date: Mon, 06 Jul 2009 13:50:57 +0800 From: "Ronnel P. Maglasang" <rmaglasang@infoweapons.com> To: tt-list@simplenet.com Cc: freebsd-pf@freebsd.org Subject: Re: Extremely simple redirect rule doesnt appear to be working Message-ID: <4A5190C1.2060205@infoweapons.com> In-Reply-To: <4A518F07.1070209@simplenet.com> References: <4A4D2010.4020908@simplenet.com> <c4b701070907030313s62a4bc33nbea633edee178572@mail.gmail.com> <4A4F0950.7020005@simplenet.com> <d64aa1760907040642w1d7fa1ecp8be75728235da8a1@mail.gmail.com> <4A518B6B.1010407@simplenet.com> <d64aa1760907052237l6c692961ic777fe09a44ce426@mail.gmail.com> <4A518F07.1070209@simplenet.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Tim Traver wrote: > > > Chris Buechler wrote: >> On Mon, Jul 6, 2009 at 1:28 AM, Tim Traver<tt-list@simplenet.com> wrote: >> >>> Thanks for responding. I am indeed testing this from within the same >>> machine, as I need the redirection to take place when attempting to >>> make >>> requests FROM the machine to an outside source. >>> >>> Is there not a way to do that with pf ??? >>> >>> >> >> There are multiple options, see: >> http://www.openbsd.org/faq/pf/rdr.html >> > > Chris, > > yes, that is where I originally got all of the information, and made > my original post with my redirection line in the pf.conf that does not > appear to be doing anything. I couldn't figure out why, hence the post > here. > > Here is a copy of the original post if you think you might have any > insight... > > Hi all, > > ok, I'm a little new to messing around with pf, but have come up for a > need that it sounds like it should be able to solve. > > I want to be able to redirect outgoing http requests from the box back > to local addresses on the box... > > In reading up, it appears that the redirect config line should do > that, and in testing, I have a simple line like this in the pf.conf > > rdr pass inet proto tcp from any to 209.131.36.158 port 80 -> > [internal address here] port 80 > > now, I haven't made that internal address be an address on the local > box yet, cause I'm testing to see how this works... > > I can manually telnet to [internal address here] port 80 with no > problems and get the apache greeting. > > Once I turn on and load the pf.conf file (with pfctl -F all -f > /etc/pf.conf), and I try to telnet to 209.131.36.158 port 80 (generic > www.yahoo.com), I don't get redirected to the internal address port 80 > and get the apache greeting that is expected... > > I did turn on port forwarding as per the instructions for NAT, > although it didn't say if it was needed for rdr. > > net.inet.ip.forwarding=1 > > in netstat, I see it trying to actually reach the ouside IP, which it > cant, so the translation didn't appear to take affect... > > am I missing something ? > Yes, I believe so. rdr works only for incoming traffic. To redirect outgoing traffic locally you need to re-route the traffic using the route-to option. Try these rules. -- rdr pass on lo0 inet proto tcp from any to 209.131.36.158 port 80 -> <internal address here> port 80 pass out log quick on lo0 no state pass in log quick on lo0 no state pass out quick on <outgoing if> route-to (lo0 <internal address here>) inet proto tcp from any to 209.131.36.158 port 80 keep state -- > Thanks, > > Tim. > > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4A5190C1.2060205>