Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 8 Feb 2010 21:48:29 +0200
From:      Spas Karabelov <st0ma@sofiahouse.net>
To:        Nick Rogers <ncrogers@gmail.com>
Cc:        freebsd-stable@freebsd.org
Subject:   Re: PF Traffic Redirection issues
Message-ID:  <331b660a1002081148r572e43d1k88d18f0ef83d64b2@mail.gmail.com>
In-Reply-To: <147432021002051039s16c72988n95e80f2e9ede0955@mail.gmail.com>
References:  <331b660a1002050941y256e3343i65afe78df5eba4e5@mail.gmail.com> <147432021002051039s16c72988n95e80f2e9ede0955@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
Thanks for the info Nick,

I had the reflection working with PF + Inetd + NC.

*in the inetd.conf I have the following:*


#INTERNAL NC CONFIGURATION

http stream tcp nowait root /usr/bin/nc nc -w 20 192.168.128.102 80

*in rc.conf in had to add the following to limit the proxy listening on the
localhost Only:*

inetd_flags="-wW -a 127.0.0.1"


*the PF configuration is as follows:*

TRANSLATION RULES:
rdr pass on em0 inet proto tcp from any to 192.168.128.170 port = http ->
127.0.0.1 port 80

FILTER RULES:
block drop log all
pass in on lo0 inet6 proto tcp from any to fe80::1 port = http flags S/SA
keep state
pass in on lo0 inet6 proto tcp from any to ::1 port = http flags S/SA keep
state
pass in on lo0 inet proto tcp from any to 127.0.0.1 port = http flags S/SA
keep state
pass in on em0 inet proto tcp from any to 192.168.128.170 port = ssh flags
S/SA keep state
pass out all flags S/SA keep state


Thanks for the heads up. Hope this works for someone.

KR,

Spas

On Fri, Feb 5, 2010 at 8:39 PM, Nick Rogers <ncrogers@gmail.com> wrote:

>
>
> On Fri, Feb 5, 2010 at 9:41 AM, Spas Karabelov <st0ma@sofiahouse.net>wrote:
>
>> Hello,
>>
>> I am trying to perform traffic redirection with PF on 7.2-RELEASE.
>> The traffic is in the same subnet and I try doing that by using just one
>> interface em0.
>
>
> PF cannot redirect packets back out the interface they originated on.
>
> From pf.conf(5)...
>
> "Redirections cannot reflect packets back through the interface they arrive
> on, they can only be redirected to hosts connected to different interfaces
> or
> to the firewall itself."
>

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?331b660a1002081148r572e43d1k88d18f0ef83d64b2>