Using 'rdr' on outbound connections
Greg Hennessy
Greg.Hennessy at nviz.net
Thu Sep 15 06:09:30 PDT 2005
> Not surprisingly, it blackholes everything.
The joys of a default deny.
Add a
pass all on lo0 keep state
Just keep things listening there sweet.
>
> # telnet -N 147.28.0.39 25
> Trying 147.28.0.39...
> telnet: connect to address 147.28.0.39: Operation not permitted
> telnet: Unable to connect to remote host
>
> # tcpdump -r /var/log/pflog
>
> just shows:
>
> 13:26:09.426570 IP bloodhound.noc.clara.net.57393 >
> rip.psg.com.smtp: S 360892497:360892497(0) win 65535 <mss
> 1460,nop,nop,sackOK,nop,wscale1,nop,nop,timestamp 9750257 0>
>
> (that's it; no RST, no ICMP ADMIN-PROHIBITED)
You need to
set block-policy return
For that to happen.
Now that it's caught it and we know what the specifics are.
Try
# assuming fxp0 and bloodhound.noc.clara.net are one and the same.
rdr pass on fxp0 proto tcp from fxp0 to !fxp0 port smtp -> 127.0.0.1 port
smtp
And see does that work.
> I'm coming to the conclusion that 'rdr' acts on an "inbound"
> interface, i.e.
> packets arriving at the kernel, and locally-originated
> packets don't match any interface; or something like that.
It would be rather hard to filter on userid if that was the case.
Greg
More information about the freebsd-pf
mailing list