Re: pf rdr-to outgoing to local port issues
On Sat, 19 Mar 2011 21:28:09 +0100 Henning Brauer lists-open...@bsws.de wrote: it was working for me - rdr-to outbound to a daemon on the firewall itself, but I deleted that virtual machine... rdr-to is usually applied inbound. If applied outbound, rdr-to to a local IP address is not supported. I would put my hand in fire -- it was working :) I read the manpage but I don't get it, how could it work then? pretty certain it could not have worked. the rdr-to in this case is too late and the local/remote decision already taken. Hi, I understand I'm becoming annoying but it worked, but maybe I was on drugs... Unfortunatelly no evidence in hand now :) I tested like this: * ssh -D remotehost * redsocks listening on 127.0.0.1:12345 and redirecting to 127.0.0.1: * pf redirecting www to 127.0.0.1:12345 * lynx ipid.shat.net Finally I saw in lynx IP of remote ssh socks5 tunnel. Any idea how to redirect outgoing traffic to local port? Would this be hard to add such funcionality into PF? (I don't like such comparisons but it can be done on other OS.) This feature would be handy to people doing system-wide socksifying (I already saw apps which spawned another apps and thus it was not socksified), or people who want to run almost everything via Tor or similar anonymizing networks -- I think it's better to socksify Tor traffic on OS level because one can misconfigure his application). Thank you for help! jirib
Re: pf rdr-to outgoing to local port issues
* jirib ji...@devio.us [2011-03-21 09:55]: On Sat, 19 Mar 2011 21:28:09 +0100 Henning Brauer lists-open...@bsws.de wrote: it was working for me - rdr-to outbound to a daemon on the firewall itself, but I deleted that virtual machine... rdr-to is usually applied inbound. If applied outbound, rdr-to to a local IP address is not supported. I would put my hand in fire -- it was working :) I read the manpage but I don't get it, how could it work then? pretty certain it could not have worked. the rdr-to in this case is too late and the local/remote decision already taken. I understand I'm becoming annoying but it worked, but maybe I was on drugs... Unfortunatelly no evidence in hand now :) I tested like this: might have run into a case where it works out of coincidence. I am not going to track this down for you now. Any idea how to redirect outgoing traffic to local port? Would this be hard to add such funcionality into PF? (I don't like such comparisons but it can be done on other OS.) it is not a pf matter, it is in the stack and not feasible. no interest here. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting
Re: pf rdr-to outgoing to local port issues
On Mon, Mar 21, 2011 at 02:45:35PM +0100, Henning Brauer wrote: * jirib ji...@devio.us [2011-03-21 09:55]: On Sat, 19 Mar 2011 21:28:09 +0100 Henning Brauer lists-open...@bsws.de wrote: it was working for me - rdr-to outbound to a daemon on the firewall itself, but I deleted that virtual machine... rdr-to is usually applied inbound. If applied outbound, rdr-to to a local IP address is not supported. I would put my hand in fire -- it was working :) I read the manpage but I don't get it, how could it work then? pretty certain it could not have worked. the rdr-to in this case is too late and the local/remote decision already taken. I understand I'm becoming annoying but it worked, but maybe I was on drugs... Unfortunatelly no evidence in hand now :) I tested like this: might have run into a case where it works out of coincidence. I am not going to track this down for you now. Any idea how to redirect outgoing traffic to local port? Would this be hard to add such funcionality into PF? (I don't like such comparisons but it can be done on other OS.) it is not a pf matter, it is in the stack and not feasible. no interest here. The problem is that the states created by an outgoing remote rdr-to local rule will cause untranslated traffic to go out of the firewall (e.g. with 127.0.0.1 as source IP). So this does not work. While outgoing local rdr-to local is not affected by this (because all traffic is routed via lo0 and so the state find each other again). In the end there is no outgoing rdr-to rule that could not be changed to a incomming rdr-to rule for remote/external traffic passing through a FW. -- :wq Claudio
Re: pf rdr-to outgoing to local port issues
* jirib ji...@devio.us [2011-03-19 00:38]: On Fri, 25 Feb 2011 10:21:20 +0100 Henning Brauer lists-open...@bsws.de wrote: * william dunand william.dun...@gmail.com [2011-02-25 05:26]: pass out log(matches) quick inet proto tcp from any to 89.176.141.250 port = www rdr-to 127.0.0.1 port 8080 I think rdr-to is meant to be use on inbound rules. we allow rdr-to outbound too now. it has caveats, and - surprise! - they are described in the manpage. this example hits a caveat. Hi, it was working for me - rdr-to outbound to a daemon on the firewall itself, but I deleted that virtual machine... rdr-to is usually applied inbound. If applied outbound, rdr-to to a local IP address is not supported. I would put my hand in fire -- it was working :) I read the manpage but I don't get it, how could it work then? pretty certain it could not have worked. the rdr-to in this case is too late and the local/remote decision already taken. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting
Re: pf rdr-to outgoing to local port issues
On Fri, 25 Feb 2011 10:21:20 +0100 Henning Brauer lists-open...@bsws.de wrote: * william dunand william.dun...@gmail.com [2011-02-25 05:26]: pass out log(matches) quick inet proto tcp from any to 89.176.141.250 port = www rdr-to 127.0.0.1 port 8080 I think rdr-to is meant to be use on inbound rules. we allow rdr-to outbound too now. it has caveats, and - surprise! - they are described in the manpage. this example hits a caveat. Hi, it was working for me - rdr-to outbound to a daemon on the firewall itself, but I deleted that virtual machine... rdr-to is usually applied inbound. If applied outbound, rdr-to to a local IP address is not supported. I would put my hand in fire -- it was working :) I read the manpage but I don't get it, how could it work then? Thanks for help. jirib
Re: pf rdr-to outgoing to local port issues
* william dunand william.dun...@gmail.com [2011-02-25 05:26]: pass out log(matches) quick inet proto tcp from any to 89.176.141.250 port = www rdr-to 127.0.0.1 port 8080 I think rdr-to is meant to be use on inbound rules. we allow rdr-to outbound too now. it has caveats, and - surprise! - they are described in the manpage. this example hits a caveat. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting
pf rdr-to outgoing to local port issues
Hello, it's probably PEBKAC but I'm lost where is the problem. I try to redirect specific outgoing traffic to a local port, it doesn't work if 'set skip on lo' is used. I'm using i386 snapshot from Feb 11. Any idea? Thank you. jirib ** pf rules: set skip on lo pass# to establish keep-state pass out log(matches) quick inet proto tcp from any to 89.176.141.250 port = www rdr-to 127.0.0.1 port 8080 block in log on ! lo0 proto tcp to port 6000:6010 ** pfctl -vv -sr: @0 pass all flags S/SA keep state [ Evaluations: 1353 Packets: 16Bytes: 448 States: 1 ] [ Inserted: uid 0 pid 4256 State Creations: 8 ] @1 pass out log (matches) quick inet proto tcp from any to 89.176.141.250 port = www flags S/SA keep state rdr-to 127.0.0.1 port 8080 [ Evaluations: 1353 Packets: 5 Bytes: 320 States: 0 ] [ Inserted: uid 0 pid 4256 State Creations: 2 ] @2 block drop in log on ! lo0 proto tcp from any to any port 6000:6010 [ Evaluations: 1343 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 4256 State Creations: 0 ] ** tcpdump on pflog0: Feb 24 12:15:48.04 rule 1/(match) [uid 0, pid 4256] pass out on iwn0: [orig src 192.168.254.100:40695, dst 89.176.141.250:80] 192.168.254.100.40695 127.0.0.1.8080: S 3088363469:3088363469(0) win 16384 mss 1460,nop,nop,sackOK,nop,wscale 3,nop,nop,timestamp 149797819[|tcp] (DF) [tos 0x10] (ttl 64, id 50505, len 64, bad cksum 68bd! differs by ce92) ** tcpdump on lo0: 12:15:48.042235 192.168.254.100.40695 127.0.0.1.8080: S 3088363469:3088363469(0) win 16384 mss 1460,nop,nop,sackOK,nop,wscale 3,nop,nop,timestamp 149797819 0 (DF) [tos 0x10] 12:15:48.042246 127.0.0.1.8080 192.168.254.100.40695: S 26525521:26525521(0) ack 3088363470 win 16384 mss 33160,nop,nop,sackOK,nop,wscale 3,nop,nop,timestamp 2966326995 149797819 (DF) 12:15:48.042252 192.168.254.100.40695 127.0.0.1.8080: R 3088363470:3088363470(0) win 0 (DF)
Re: pf rdr-to outgoing to local port issues
pass out log(matches) quick inet proto tcp from any to 89.176.141.250 port = www rdr-to 127.0.0.1 port 8080 I think rdr-to is meant to be use on inbound rules.