Hello, I am trying to perform traffic redirection with PF on 7.2-RELEASE. The traffic is in the same subnet and I try doing that by using just one interface em0. Mu current setup of pf is as follows: No ALTQ support in kernel ALTQ related functions disabled TRANSLATION RULES: rdr pass on em0 inet proto tcp from any os "NMAP" to any port 1:65535 -> 192.168.128.170 port 22 rdr pass on em0 inet proto tcp from 192.168.128.126 to any port = http -> 192.168.128.103 port 83 rdr pass on em0 inet proto tcp from 192.168.128.126 to any port = rdp -> 192.168.128.102 port 3389 rdr pass on em0 inet proto tcp from any to any port = ctf -> 192.168.128.102 port 83 FILTER RULES: scrub in all fragment reassemble block drop log all block drop in on ! em0 inet from 192.168.128.0/24 to any block drop in inet from 192.168.128.170 to any pass in on em0 inet proto tcp from any to 192.168.128.170 port = ssh flags S/SA keep state pass in on em0 inet proto tcp from any to 192.168.128.102 port = ctf flags S/SA synproxy state pass in on em0 inet proto tcp from any to 192.168.128.103 port = mit-ml-dev flags S/SA synproxy state pass out all flags S/SA keep state When I try to perform request they get the state of *SYN_SENT:CLOSED* : No ALTQ support in kernel ALTQ related functions disabled all tcp 192.168.128.170:22 <- 192.168.128.126:53162 ESTABLISHED:ESTABLISHED all tcp 192.168.128.102:83 <- 192.168.128.170:84 <- 192.168.128.104:8351 CLOSED:SYN_SENT all tcp 192.168.128.104:8351 -> 192.168.128.102:83 *SYN_SENT:CLOSED* Any advice is much appreciated. KR, Spas
On Fri, Feb 5, 2010 at 9:41 AM, Spas Karabelov <st0ma@sofiahouse.net> wrote:> Hello, > > I am trying to perform traffic redirection with PF on 7.2-RELEASE. > The traffic is in the same subnet and I try doing that by using just one > interface em0.PF cannot redirect packets back out the interface they originated on.>From pf.conf(5)..."Redirections cannot reflect packets back through the interface they arrive on, they can only be redirected to hosts connected to different interfaces or to the firewall itself."
Thanks for the info Nick, I had the reflection working with PF + Inetd + NC. *in the inetd.conf I have the following:* #INTERNAL NC CONFIGURATION http stream tcp nowait root /usr/bin/nc nc -w 20 192.168.128.102 80 *in rc.conf in had to add the following to limit the proxy listening on the localhost Only:* inetd_flags="-wW -a 127.0.0.1" *the PF configuration is as follows:* TRANSLATION RULES: rdr pass on em0 inet proto tcp from any to 192.168.128.170 port = http -> 127.0.0.1 port 80 FILTER RULES: block drop log all pass in on lo0 inet6 proto tcp from any to fe80::1 port = http flags S/SA keep state pass in on lo0 inet6 proto tcp from any to ::1 port = http flags S/SA keep state pass in on lo0 inet proto tcp from any to 127.0.0.1 port = http flags S/SA keep state pass in on em0 inet proto tcp from any to 192.168.128.170 port = ssh flags S/SA keep state pass out all flags S/SA keep state Thanks for the heads up. Hope this works for someone. KR, Spas On Fri, Feb 5, 2010 at 8:39 PM, Nick Rogers <ncrogers@gmail.com> wrote:> > > On Fri, Feb 5, 2010 at 9:41 AM, Spas Karabelov <st0ma@sofiahouse.net>wrote: > >> Hello, >> >> I am trying to perform traffic redirection with PF on 7.2-RELEASE. >> The traffic is in the same subnet and I try doing that by using just one >> interface em0. > > > PF cannot redirect packets back out the interface they originated on. > > From pf.conf(5)... > > "Redirections cannot reflect packets back through the interface they arrive > on, they can only be redirected to hosts connected to different interfaces > or > to the firewall itself." >