On Tue, Oct 18, 2005 at 12:22:54PM -0500, Graham Toal wrote: > However that doesn't help me work out how to fake the source address > dynamically per connection. It may not be possible with pf, though > it's more likely possible with pf than any other mechanism. My guess > is that 90% of the work is already done in pf but some new code may > be needed for that last 10%. If that's the case though it may be a long > time before I finish this project :-) (Unless I can find a pf > developer interested in adding new features)
It was discussed a while ago (search for 'embrionic states'), but never implemented. You can achieve a similar effect using dynamic NAT rules and an anchor. Have your proxy bind(2) to a unique source port for each connection to the real server. Before you actually connect, insert a temporary NAT rule into a temporary anchor, which translates the source address (to that of the external peer) based on the source port. Then connect(2). Then remove the NAT rule again. See pfctl sources for the appropriate ioctl(2) calls. At least I think that should work :) Daniel
