pf: redirect a packet's port but not its address?
Alan Somers
asomers at freebsd.org
Tue Jan 23 18:26:22 UTC 2018
On Tue, Jan 23, 2018 at 10:39 AM, Andrey V. Elsukov <bu7cher at yandex.ru>
wrote:
> On 23.01.2018 19:17, Alan Somers wrote:
> >>> Unfortunately, pf currently lacks this capability. But it looks like
> it
> >>> could be added without breaking existing pf.conf syntax. Would this
> be a
> >>> good idea?
> >>>
> >>> I don't use ipfw, but from reading the man page I believe that it has
> the
> >>> same problem.
> >>
> >> I think ipfw should work with such configuration using "fwd" action,
> >> since TCP/UDP has special handling for this.
> >
> >
> > The man page says that the fwd directive always takes an IP address.
> What
> > I need is a way to forward the port without changing the IP address. Is
> > that possible in ipfw?
>
> "fwd" rule does not changing nor IP address, nor port. It uses some
> magic with PCB lookup in the TCP/UDP code.
> Just tried this:
>
> # ipfw add fwd ::1,5678 tcp from any to any 4000
> # nc -6 -l ::1 5678
>
> And from another host tried:
> # telnet -6 fc00::1 4000
>
> And this works.
>
This does not work for me. When I try, tcpdump shows that the host running
ipfw returns an RST packet when it receives a SYN for port 4000. That
sounds like the fwd rule isn't working. And it's probably not working
because I'm a total ipfw n00b. Is there anything else I need to configure
in ipfw first? My rc.conf file looks like:
firewall_enable="YES"
firewall_type="open"
More information about the freebsd-net
mailing list