On Mon, Oct 20, 2003 at 11:29:51AM -0400, Justin Ma wrote: > But what if I want $client to belong to gwy, and treat $int_if as a > virtual address? For example, if I 'ping $int_if', then when sniffing some > virtual interface, I'd see packets from $client to $int_if and vice versa.
If $client is one of gwy's own addresses, why not just bind(2) the sender to that address? That's the usual approach in that case, you'd have to explain why you need pf to perform that translation at all. rdr only works for packets coming in on an interface, not for packets going out an interface. So there's no 'rdr out on $ext_if' that you could use to replace the destination address on outgoing packets. This feature would be useful in certain cases, but isn't implemented (yet). > Essentially, we compress the client-gwy tandem into a single machine. Can > this be done? Would it require loopbacks or internal tunnels? You can try with loopback, but I'm not sure it will or won't work. What's the reason for wanting to put the client on the gateway itself? Putting it on a separate machine would make the setup less obfuscated (compared to loopback tricks) and not risk compromising the firewall when the client is vulnerable. Daniel
