Date: Thu, 15 Sep 2005 14:09:27 +0100 From: "Greg Hennessy" <Greg.Hennessy@nviz.net> To: "'Brian Candler'" <B.Candler@pobox.com> Cc: freebsd-pf@freebsd.org Subject: RE: Using 'rdr' on outbound connections Message-ID: <20050915130927.4A1584D@gw2.local.net> In-Reply-To: <20050915123654.GA1315@uk.tiscali.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> Not surprisingly, it blackholes everything. The joys of a default deny. Add a pass all on lo0 keep state Just keep things listening there sweet. > > # telnet -N 147.28.0.39 25 > Trying 147.28.0.39... > telnet: connect to address 147.28.0.39: Operation not permitted > telnet: Unable to connect to remote host > > # tcpdump -r /var/log/pflog > > just shows: > > 13:26:09.426570 IP bloodhound.noc.clara.net.57393 > > rip.psg.com.smtp: S 360892497:360892497(0) win 65535 <mss > 1460,nop,nop,sackOK,nop,wscale1,nop,nop,timestamp 9750257 0> > > (that's it; no RST, no ICMP ADMIN-PROHIBITED) You need to set block-policy return For that to happen. Now that it's caught it and we know what the specifics are. Try # assuming fxp0 and bloodhound.noc.clara.net are one and the same. rdr pass on fxp0 proto tcp from fxp0 to !fxp0 port smtp -> 127.0.0.1 port smtp And see does that work. > I'm coming to the conclusion that 'rdr' acts on an "inbound" > interface, i.e. > packets arriving at the kernel, and locally-originated > packets don't match any interface; or something like that. It would be rather hard to filter on userid if that was the case. Greg
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050915130927.4A1584D>