Using 'rdr' on outbound connections

Max Laier max at love2party.net
Thu Sep 15 06:52:25 PDT 2005 

On Thursday 15 September 2005 14:36, Brian Candler wrote:
> On Thu, Sep 15, 2005 at 01:16:19PM +0100, Greg Hennessy wrote:
> > It could do,
> >
> > Make the 1st line of the policy
> >
> > block log all
> >
> >
> > And see what it catches.
>
> /etc/pf.conf now:
> rdr pass proto tcp from any to any port 25 -> 127.0.0.1 port 25
> rdr pass on lo0 proto tcp from any to any port 25 -> 127.0.0.1 port 25
> rdr pass on fxp0 proto tcp from any to any port 25 -> 127.0.0.1 port 25
> block log all
>
> Not surprisingly, it blackholes everything.
>
> # telnet -N 147.28.0.39 25
> Trying 147.28.0.39...
> telnet: connect to address 147.28.0.39: Operation not permitted
> telnet: Unable to connect to remote host
>
> # tcpdump -r /var/log/pflog
>
> just shows:
>
> 13:26:09.426570 IP bloodhound.noc.clara.net.57393 > rip.psg.com.smtp: S
> 360892497:360892497(0) win 65535 <mss
> 1460,nop,nop,sackOK,nop,wscale1,nop,nop,timestamp 9750257 0>
>
> (that's it; no RST, no ICMP ADMIN-PROHIBITED)
>
> I'm coming to the conclusion that 'rdr' acts on an "inbound" interface,
> i.e. packets arriving at the kernel, and locally-originated packets don't
> match any interface; or something like that.

That is correct.  RDR-rules are only applied to inbound traffic as displayed 
here: http://mniam.net/pf/pf.png  To work around this you can install a 
route-to rule to loop the packet:

pass out route-to (lo0 127.0.0.1) proto tcp from any to any port 25

This will re-loop the packet, pf will see it as inbound and thus apply the 
redirection.

In order to get correct ident replys you need to do more work, I am afraid.  
There is oidentd (security/oidentd) which has some functionality to support 
NAT in OpenBSD - it might be able to port this over ...

> But I was hoping there would be someone on the list who has a reasonably
> deep knowledge of the 'pf' code and could explain whether what I want to do
> is not possible, or if it is, how to do it.

-- 
/"\  Best regards,                      | mlaier at freebsd.org
\ /  Max Laier                          | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | mlaier at EFnet
/ \  ASCII Ribbon Campaign              | Against HTML Mail and News
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20050915/76977ce5/attachment.bin

More information about the freebsd-pf mailing list