On Thursday 15 September 2005 14:36, Brian Candler wrote: > On Thu, Sep 15, 2005 at 01:16:19PM +0100, Greg Hennessy wrote: > > It could do, > > > > Make the 1st line of the policy > > > > block log all > > > > > > And see what it catches. > > /etc/pf.conf now: > rdr pass proto tcp from any to any port 25 -> 127.0.0.1 port 25 > rdr pass on lo0 proto tcp from any to any port 25 -> 127.0.0.1 port 25 > rdr pass on fxp0 proto tcp from any to any port 25 -> 127.0.0.1 port 25 > block log all > > Not surprisingly, it blackholes everything. > > # telnet -N 147.28.0.39 25 > Trying 147.28.0.39... > telnet: connect to address 147.28.0.39: Operation not permitted > telnet: Unable to connect to remote host > > # tcpdump -r /var/log/pflog > > just shows: > > 13:26:09.426570 IP bloodhound.noc.clara.net.57393 > rip.psg.com.smtp: S > 360892497:360892497(0) win 65535 <mss > 1460,nop,nop,sackOK,nop,wscale1,nop,nop,timestamp 9750257 0> > > (that's it; no RST, no ICMP ADMIN-PROHIBITED) > > I'm coming to the conclusion that 'rdr' acts on an "inbound" interface, > i.e. packets arriving at the kernel, and locally-originated packets don't > match any interface; or something like that.
That is correct. RDR-rules are only applied to inbound traffic as displayed here: http://mniam.net/pf/pf.png To work around this you can install a route-to rule to loop the packet: pass out route-to (lo0 127.0.0.1) proto tcp from any to any port 25 This will re-loop the packet, pf will see it as inbound and thus apply the redirection. In order to get correct ident replys you need to do more work, I am afraid. There is oidentd (security/oidentd) which has some functionality to support NAT in OpenBSD - it might be able to port this over ... > But I was hoping there would be someone on the list who has a reasonably > deep knowledge of the 'pf' code and could explain whether what I want to do > is not possible, or if it is, how to do it. -- /"\ Best regards, | [EMAIL PROTECTED] \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | [EMAIL PROTECTED] / \ ASCII Ribbon Campaign | Against HTML Mail and News
pgpFUWnXqtE0u.pgp
Description: PGP signature
