Date: Wed, 30 Jun 2010 14:15:18 -0300 From: Gabriel Fonseca <gabriel@ethx.com.br> To: freebsd-pf@freebsd.org Subject: Re: Re[2]: rdr + reply-to, some solution ? Message-ID: <AANLkTinyxhV5IW5YjFX6dwwkp_LKMc799SjMDu5mgQ5C@mail.gmail.com> In-Reply-To: <AANLkTikxUfjPEc2D9j-heSB8MWbwRxj2p7qrK32SDDJ7@mail.gmail.com> References: <AANLkTimDyUL8BWaik3XbgixUakz_r_KgO63LwDoNsODK@mail.gmail.com> <E1OU0Iv-000JKp-95@ffe9.ukr.net> <AANLkTikxUfjPEc2D9j-heSB8MWbwRxj2p7qrK32SDDJ7@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
2010/6/30 Luiz Gustavo S. Costa <luizgustavo@luizgustavo.pro.br> > Hi, > > Yep! > > # Nat section > rdr on $if_ext2 proto tcp from any to $ip_ext2 port http tag > http_link2 -> $dmz_http > > # Rule section > pass in quick on $if_ext2 reply-to ($if_ext2 $gw_ext2) tagged http_link2 > > The reply-to is apply on the tag match. > > Thanks for Gabriel ! > > 2010/6/30 Vitaliy Vladimirovich <artemrts@ukr.net>: > > > > Hi Luiz! > > > > Can you post here your working final ruleset with rdr + replye-to? > Only > > rdr + reply-to section. > > > > Thank you! > > > > > > PERFECT !!!!! > > > > This is it ! (tribute to MJ) > > > > worked perfectly, had not really thought about using tag, perfect. > > > > thank you (valeu !) > > > > goodbye rinetd/redir ! > > > > 2010/6/28 Gabriel Fonseca <gabriel@ethx.com.br>: > >> 2010/6/28 Luiz Gustavo S. Costa <luizgustavo@luizgustavo.pro.br> > >>> > >>> hi Chris ! how are you? > >>> > >>> as it says here in Brazil: "I eat ball" :). > >>> > >>> pass in $if_int reply-to ($if_ext2 $gw_ext2) proto tcp from any to > >>> 192.168.1.100 port 80 > >>> > >>> but still, the combination does not work > >>> > >>> thanks > >>> > >>> > >>> 2010/6/28 Chris Buechler <cbuechler@gmail.com>: > >>> > On Mon, Jun 28, 2010 at 5:12 PM, Luiz Gustavo S. Costa > >>> > <luizgustavo@luizgustavo.pro.br> wrote: > >>> >> Hi all. > >>> >> > >>> >> I know there is a problem in using rdr with the reply-to, I usually > >>> >> use some software to "rdr", as the rinetd, but it's not a pretty > >>> >> solution. > >>> >> > >>> >> Is there any alternative? > >>> >> > >>> >> Below is an example of what I'm talking about. > >>> >> > >>> >> # Nat section > >>> >> rdr on $if_ext2 proto tcp from any to 200.x.x.x port 80 -> > >>> >> 192.168.1.100 > >>> >> # Rules section > >>> >> pass in $if_ext2 reply-to ($if_ext2 $gw_ext2) proto tcp from any to > >>> >> 200.x.x.x port 80 > >>> >> > >>> > > >>> > That rule won't match traffic from that rdr. The dest has to be the > >>> > 192.168.1.100 IP. > >>> > > >>> > >>> > >>> > >>> -- > >>> Luiz Gustavo Costa (Powered by BSD) > >>> *+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+ > >>> mundoUnix - Consultoria em Software Livre > >>> http://www.mundounix.com.br > >>> ICQ: 2890831 / MSN: contato@mundounix.com.br > >>> Tel: 55 (21) 2642-3799 / 7582-0594 > >>> Blog: http://www.luizgustavo.pro.br > >>> _______________________________________________ > >>> freebsd-pf@freebsd.org mailing list > >>> http://lists.freebsd.org/mailman/listinfo/freebsd-pf > >>> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > >> > >> > >> Hi, Luiz "gugaBSD" Gustavo. > >> I don't exactly what your need, but I'll try help. > >> > >> Try this: > >> rdr on $if_ext2 proto tcp from any to 200.x.x.x port 80 tag LINK2 -> > >> 192.168.1.100 > >> pass in quick on $if_ext2 reply-to ( $if_ext2 $gw_ext2 ) tagged LINK2 > >> > >> I hope that helps. > >> > >> Gabriel "ethX" Fonseca > >> > >> > >> > >> > >> > > > > -- > > Luiz Gustavo Costa (Powered by BSD) > > *+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+ > > mundoUnix - Consultoria em Software Livre > > http://www.mundounix.com.br > > ICQ: 2890831 / MSN: contato@mundounix.com.br > > Tel: 55 (21) 2642-3799 / 7582-0594 > > Blog: http://www.luizgustavo.pro.br > > _______________________________________________ > > freebsd-pf@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > > > > > > > > -- > Luiz Gustavo Costa (Powered by BSD) > *+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+ > mundoUnix - Consultoria em Software Livre > http://www.mundounix.com.br > ICQ: 2890831 / MSN: contato@mundounix.com.br > Tel: 55 (21) 2642-3799 / 7582-0594 > Blog: http://www.luizgustavo.pro.br > With the tag you can specify that traffic must suffer the "reply-to" traffic is the redirected. Remembering that the "reply-to" routes packets that pass in the opposite direction to the specified interface, like is specified in the man pf.conf pages: *reply-to* The *reply-to* option is similar to *route-to*, but routes packets that pass in the opposite direction (replies) to the specified interface. Opposite direction is only defined in the context of a state entry, and *reply-to* is useful only in rules that create state. It can be used on systems with multiple external connections to route all outgoing packets of a connection through the interface the incoming connection arrived through (symmetric routing enforcement). The "reply-to" facilitate the maintenance of filtering rules, without having to create "pass out" rules to outbound traffic on the return of the redirect. Sorry for my english, I'm not good at that. Gabriel "ethX" Fonseca
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AANLkTinyxhV5IW5YjFX6dwwkp_LKMc799SjMDu5mgQ5C>