On 2023-04-04, Nicolas Goy <m...@kuon.ch> wrote:
> On Sun, 2023-04-02 at 15:49 +0000, Stuart Henderson wrote:
>> On 2023-04-02, Jared Harper <ja...@hrpr.us> wrote:
>> > On Sun, Apr 2, 2023, at 6:56 AM, Nicolas Goy wrote:
>> > > Hello,
>> > >
>> > > Is it possible, with pf, to expose an ipv6 server on an ipv4
>> > > port?
>> > >
>> > > Something like this:
>> > >
>> > > -req on 1.2.3.4:80->pf->[1:2:3:4::1]:80
>> > >
>> > > I know this doesn't work:
>> > >
>> > > pass in on any proto {tcp, udp} to $wan_ip port {80, 443} rdr-to
>> > > $some_ipv6
>> > >
>> > > I know af-to can map between families, but I don't know if I can
>> > > couple
>> > > it with rdr-to in some way.
>> >
>> > This seems like a job for relayd.
>>
>> Or af-to.
>>
>>
>
> How would you use af-to this configuration?
Looking at pf.conf(5) for syntax I just tried something fairly obvious:
pass in quick log proto tcp from any to $v4_address port 8383 af-to inet6 from
$dummy_v6_address to $listening_v6_address
that was on a router that's sat in front of a machine where I had run
"nc -6 -vv -l 8383" to watch for connections.
The problem with both this and relayd generic TCP relays is that the
original source address does not make it through in any form to the
end server, if you want that you'll need some kind of tunnel or to add
connection info into the protocol data somehow (e.g. for HTTP you
would normally need something that can add an X-Forwarded-For or
similar).
