I am trying now only with the redirect to www.openbsd.org, if it works, I am sure it can be adapted to my case.
Unfortunately still no success. # pf.conf: ext_if="xnf0" match in log on $ext_if proto tcp from any to ($ext_if) port 8099 tag RDR \ rdr-to 129.128.5.194 port 80 match out log on $ext_if proto tcp to 129.128.5.194 port 80 received-on \ $ext_if nat-to $ext_if match out log quick on $ext_if inet all tagged RDR \ nat-to $ext_if server_open="{ 80,110,443,25,587,465 }" pass in log on $ext_if inet proto tcp from any port 1024:65535 to $ext_if port $server_open tag n_traffic #block all to start block all pass quick tagged RDR pass quick tagged n_traffic pass out on $ext_if > > > On 2/14/2020 6:30 AM, Fabio Martins wrote: >> Hi Nick, >> >> Thanks. I applied both rules below, unfortunately I am still only >> hitting >> rule number #1 (rdr-to). nat-to is never reached (added "log" on each to >> test). I tried inverting the order, too, but no luck. >> >> #1 >> match in on $ext_if proto tcp from <spammers> to ($ext_if) port 25 \ >> rdr-to 200.200.200.200 port 2222 >> >> #2 >> match out on $ext_if proto tcp to 200.200.200.200 port 2222 received-on >> \ >> $ext_if nat-to ($ext_if) >> >> -- >> Fabio Martins >> > > Odd, are you allowing the traffic with an appropriate pass rule later? > > I use tagging for rules related to rdr and nat to keep things simple, > here is the full working setup I used to bounce port 8099 on the > external interface to www.openbsd.org port 80. > > #Fun reverse redirection of www.openbsd.org > match in on $ext_if proto tcp from any to ($ext_if) port 8099 tag RDR > rdr-to 129.128.5.194 port 80 > match out on $ext_if proto tcp to 129.128.5.194 port 80 received-on > $ext_if nat-to $ext_if > > #block all to start > block log all > pass quick tagged RDR > pass out on $ext_if > > > Make sure you are testing from an external host of course. > > > > >