Thanks of your reply. It does still not work. I can't see any data
leaving the mirror to the server.
Nothing is blocked in pflog0 and tcpdump does not show any connections
to 74.125.43.99
This is my pf.conf
---- [snipp]----
# Macro
admin= "{ xxx xxx }"
ext_if= "{ vic0 }"
client= "{ 10.10.15.30 }"
mirror= "{ 10.40.20.5 }"
server= "{ 74.125.43.99 }"
# Rules
block in log
pass quick on lo0
pass out keep state
pass in from $client to $mirror rdr-to $server tag mirrored
pass out tagged mirrored nat-to $mirror
block in log inet proto icmp to self icmp-type redir
pass in inet proto icmp from $admin to self
pass in proto tcp from $admin to self port ssh
---- [/snipp]----
74.125.43.99 is a ordinary Google server for search that I'm using for my
test.
I'm trying to use http and targeting mirror from a browser. I should
see outgoing connections from mirror to server but there is only data
between client and mirror.
This is a short tcpdump of a http request
# tcpdump -n not port ssh
tcpdump: listening on vic0, link-type EN10MB
10:49:09.509062 10.10.15.30.44142 > 10.40.20.5.80: S
341929812:341929812(0) win 64240 <mss 1380,sackOK,timestamp 83797170
0,nop,wscale 3> [tos 0x88]
10:49:16.307710 10.10.15.30.44142 > 10.40.20.5.80: S
341929812:341929812(0) win 64240 <mss 1380,sackOK,timestamp 83797770
0,nop,wscale 3> [tos 0x88]
10:49:28.269764 10.10.15.30.43624 > 10.40.20.5.80: S
677212245:677212245(0) win 64240 <mss 1380,sackOK,timestamp 83799022
0,nop,wscale 3> [tos 0x88]
10:49:31.003629 10.10.15.30.43624 > 10.40.20.5.80: S
677212245:677212245(0) win 64240 <mss 1380,sackOK,timestamp 83799322
0,nop,wscale 3> [tos 0x88]
There is nothing that are blocked in plflog0 at the same time
This is the running pf rules
# pfctl -srules
block drop in log all
pass quick on lo0 all flags S/SA keep state
pass out all flags S/SA keep state
pass in inet from 10.10.15.30 to 10.40.20.5 flags S/SA keep state tag
mirrored rdr-to 74.125.43.99
pass out inet all flags S/SA keep state tagged mirrored nat-to 10.40.20.5
block drop in log inet proto icmp from any to 127.0.0.1 icmp-type redir
block drop in log inet proto icmp from any to 10.40.20.5 icmp-type redir
pass in inet proto icmp from xx to 127.0.0.1 keep state
pass in inet proto icmp from xx to 10.40.20.5 keep state
pass in inet proto icmp from xx to 127.0.0.1 keep state
pass in inet proto icmp from xx to 10.40.20.5 keep state
pass in inet proto tcp from xx to 127.0.0.1 port = ssh flags S/SA keep state
pass in inet proto tcp from xx to 10.40.20.5 port = ssh flags S/SA keep state
pass in inet proto tcp from xx to 127.0.0.1 port = ssh flags S/SA keep state
pass in inet proto tcp fromxx to 10.40.20.5 port = ssh flags S/SA keep state
Thanks for trying helping me.
Best regards
2011/4/8 Stuart Henderson <s...@spacehopper.org>:
> On 2011-04-07, rancor <theran...@gmail.com> wrote:
>> I want to reflect all IP from a client to a server via another machine
>> called mirror. client and server can't access each other and there is
>> nothing I can do about that. How ever the mirror can access both
>> client and server so I want all traffic from client to mirror be
>> reflected to server and all responses from the server should be
>> reflected back to the client via the mirror.
>
> this is probably the simplest way:
>
> pass in from $client to $mirror rdr-to $server tag mirrored
> pass out tagged mirrored nat-to $mirror
>
> if someone has time to write this up for www/faq/pf/rdr.html,
> please send me a diff.
>
> also related: binat-to (*without* setting the interface) also
> happens to put rules in place which allow you to connect from a
> client in the same subnet as the server. (credit to phessler for
> this tip).
