> Am 10.02.2022 um 19:01 schrieb Stuart Henderson <[email protected]>: > > On 2022-02-10, Mike Fischer <[email protected]> wrote: >>> The redirection to an address on the local machine is just internal to >>> the machine; those would only show a second time in tcpdump if they were >>> being sent to another machine. >> >> Ok, thanks. So there is no way to trace rdr-to (other than possibly doing >> low level kernel debugging)? > > See pflog(4) - "match log(matches)" is very useful for tracking through > fiddly rulesets.
Indeed, and tcpdump -v helps as well as I found out. I shows the original destination as well as the redirected one: tcpdump -n -e -ttt -l -i pflog0 -v 'port 80 or 8080' >>> Normally if you have two addresses on the same lan you'd configure them >>> as aliases on the one interface, this seems a bit of a non-standard >>> config. >> >> Yes I know. The reason for trying this was that having two >> inet6 autoconf interfaces on the same LAN has issues. And alias >> was not an option due to dynamic IPv6 prefixes. (See this >> thread: https://marc.info/?l=openbsd-misc&m=164412170710420&w=2 >> and a suggestion by Brian Brombacher in >> https://marc.info/?l=openbsd-misc&m=164418424619191&w=2 that I wanted to >> give a try.) >> >> Non-standard or not, it works ;-) Though the headers seen by the web >> server show the redirected IP and port and not the ones originally asked >> for by the client. Not surprising but something the site developer needs >> to be aware of. And HTTP was only an easy to use example. For other >> services this limitation may have more severe consequences. > > Ah yes I do remember reading this, but I couldn't figure out a use case > for doing it that way :) I'm not a fan of non-standard configs where > avoidable, they're usually the ones which get broken when things are > changed. Granted, in a normal hosting environment with static IPs this is generally not relevant. For those of us testing things at home or in some small office environments there is a use case. > btw for "only the prefix is listed not the complete IPv6 addresses" -> > see netstat's -v flag. Cool, thanks! Mike
