Mark Felder wrote:
I completely understand what you're doing there, but that isn't what I'm
trying to do. Perhaps I'll give you a simple scenario that shows how to
make my needs easier to understand.
My home network is 192.168.1.0/24. A host on my network is
192.168.1.10. There is NO host at 192.168.1.200.
I want to be able to rewrite any traffic send to 192.168.1.200 to
actually go to 192.168.1.10.
iptables -A OUTPUT -t nat -d 192.168.1.200 -j DNAT --to 192.168.1.10
Voila, like magic, the packets are rewritten. I can ping 192.168.1.200
even though it doesnt exist! My computer is completely fooled into
thinking it does, because iptables rewrites transparently.
This is what I want to do with pf. Only I'm rewriting external REAL world
addresses to internal addresses for a development environment under very
specific conditions where split horizon DNS doesn't fit the requirements
(Because it's always on. Separate DNS servers and host file changes are
too intrusive so they aren't viable either.)
What about these?
#1. If you know which ports you need to redirect:
http://www.openbsd.org/faq/pf/rdr.html#tcpproxy
#2. If not:
http://www.openbsd.org/faq/pf/rdr.html#rdrnat
#3. If the computers (client and fake server) is in the same subnet and
you have control of the sending computer (though maybe not of the
software in question):
client# route add 10.10.10.10 192.168.1.100
server# ifconfig <if> 10.10.10.10
and start the required service on the fake server, binding it to
10.10.10.10, if necessary
I've required browser-cached but forgotten https encrypted passwords
this way. Easier than #1 and #2. :-)
/Alexander
I'm doing this by running a proxy on the box where the firewall is.
Access the proxy and your traffic is rewritten to this specific dev
environment. This works on a Linux box, but I'd like to move the
operation to a BSD box with pf.
Do you understand the issue a little better now? It's a hack, I'll
admit, but it works in iptables and why pf doesn't seem to offer this
functionality is confusing. Or maybe I'm going about it wrong and it
*is* possible. I'm not sure yet. That's why I'm emailing here :)
Mark
On Wed, Apr 16, 2008 at 09:42:34PM -0500, Peques wrote:
Have you tried?
webserver = "192.168.2.7"
webports = "{ http, https }"
emailserver = "192.168.2.5"
email = "{ smtp, pop3, imap, imap3, imaps, pop3s }"
rdr on $ext_if proto tcp from any to $ext_if port $webports -> $webserver
rdr on $ext_if proto tcp from any to $ext_if port $email -> $emailserver
pass proto tcp from any to $webserver port $webports synproxy state
pass proto tcp from any to $emailserver port $email synproxy state
pass proto tcp from $emailserver to any port smtp synproxy state
or can you probe
lan= "10.10.10.10/24"
lan2= "192.168.0.0/24"
rdr on $ext_if proto {tcp,udp} from $lan1 to $lan2
See you
