> From [EMAIL PROTECTED] Tue Oct 18 13:35:38 2005 > Date: Tue, 18 Oct 2005 20:23:31 +0200 > From: Daniel Hartmeier <[EMAIL PROTECTED]> > To: Graham Toal <[EMAIL PROTECTED]> > Cc: pf@benzedrine.cx, [EMAIL PROTECTED], [EMAIL PROTECTED] > Subject: Re: pf to spoof source address - is it even possible? > > On Tue, Oct 18, 2005 at 12:22:54PM -0500, Graham Toal wrote: > > > However that doesn't help me work out how to fake the source address > > dynamically per connection. It may not be possible with pf, though > > it's more likely possible with pf than any other mechanism. My guess > > is that 90% of the work is already done in pf but some new code may > > be needed for that last 10%. If that's the case though it may be a long > > time before I finish this project :-) (Unless I can find a pf > > developer interested in adding new features) > > It was discussed a while ago (search for 'embrionic states'), but never > implemented.
Found it. Back in 2002 someone was looking at doing the same sort of transparency for ftp: http://marc.theaimsgroup.com/?t=103601063800002&r=1&w=2 > You can achieve a similar effect using dynamic NAT rules and an anchor. > Have your proxy bind(2) to a unique source port for each connection to the > real server. Before you actually connect, insert a temporary NAT rule > into a temporary anchor, which translates the source address (to that of > the external peer) based on the source port. Then connect(2). Then > remove the NAT rule again. See pfctl sources for the appropriate > ioctl(2) calls. > > At least I think that should work :) I'll give that a try; may take me a few days to get up to speed on at least two things here that I haven't done before! I'll get back to you if I make any progress. Thanks Graham