From owner-freebsd-pf@FreeBSD.ORG Sun May 13 14:25:20 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B2F0A106566C for ; Sun, 13 May 2012 14:25:20 +0000 (UTC) (envelope-from eugenyuk@gmail.com) Received: from mail-wg0-f50.google.com (mail-wg0-f50.google.com [74.125.82.50]) by mx1.freebsd.org (Postfix) with ESMTP id 39E8E8FC15 for ; Sun, 13 May 2012 14:25:20 +0000 (UTC) Received: by wgbds11 with SMTP id ds11so3996305wgb.31 for ; Sun, 13 May 2012 07:25:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=Kyj90rFkN20mU/xVulF/SSQbbXemTSlJxKyaJ5XYcAg=; b=Wdamx5RXj2Fw8/0GYcjE1gDRczlRuCRPqyMgCnjh1W/ncx+cXjM7og/O/ygR+e9vff Wqrt8Iw289v2KBNhlVQTH4ami0fEqbD5bIt2CUjyPL9h+7jtXL+j9SepS0cUlCeHDjDs d/RZE0lrK9DCByhOwqkhkUQdwybnWQiJLPSfmYa70l/7nAc047+gZrKZ+UPyPdltGvgr 3pNrGtYNKE9MDYE8CQbUYyXfZienD0I3ZKgN0g+oHrJydbva+PKMM8vXEGVPnF0DNWbI 3y+6oxYXYQub95O9nOUbYCK33/vKzMhIhQweUnZeUETKgE+TtsYSMaUyVFyrlvxuJu6b O1Eg== MIME-Version: 1.0 Received: by 10.216.136.131 with SMTP id w3mr3113138wei.15.1336919118497; Sun, 13 May 2012 07:25:18 -0700 (PDT) Received: by 10.227.64.202 with HTTP; Sun, 13 May 2012 07:25:18 -0700 (PDT) Date: Sun, 13 May 2012 17:25:18 +0300 Message-ID: From: orpheus To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: rdr to 127.0.0.1 doesn't work X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 May 2012 14:25:20 -0000 Hello, guys! I am trying to configure redirection to 127.0.0.1 port 8025 (spamd service) in pf but with no luck. System: FreeBSD 8.2-RELEASE amd 64 root ~ # sockstat -l | grep 8025 _spamd obspamd 32926 4 tcp4 127.0.0.1:8025 *:* _spamd obspamd 32923 4 tcp4 127.0.0.1:8025 *:* _spamd obspamd 32922 4 tcp4 127.0.0.1:8025 *:* root ~ # ifconfig igb0: flags=8802 metric 0 mtu 1500 options=1bb ether 00:25:90:09:01:b2 media: Ethernet autoselect status: no carrier igb1: flags=8843 metric 0 mtu 1500 options=1bb ether 00:25:90:09:01:b3 inet 1.1.1.2 netmask 0xffffff00 broadcast 1.1.1.255 inet 1.1.1.3 netmask 0xffffffff broadcast 1.1.1.3 media: Ethernet autoselect (100baseTX ) status: active ipfw0: flags=8801 metric 0 mtu 65536 lo0: flags=8049 metric 0 mtu 16384 options=3 inet 127.0.0.1 netmask 0xff000000 pflog0: flags=141 metric 0 mtu 33152 This is my /etc/pf.conf: === ext_if = "igb1" tcp_services="{ 21, 25, 80, 110, 143, 443, 993, 995, 1178, 2224, 2222, 5666 }" udp_services="{ 53 }" icmp_types="{ echoreq, unreach }" table const { self } set skip on lo0 rdr on $ext_if inet proto tcp from any to $ext_if port 25 -> 127.0.0.1 port 8025 block log all pass in log inet proto tcp from any to 127.0.0.1 port 8025 pass in log on $ext_if inet proto tcp from any to $ext_if port 2224 keep state (max-src-conn 10, max-src-conn-rate 5/60, overload flush) pass in log quick on $ext_if proto tcp from any to port www flags S/SA synproxy state pass in log on $ext_if proto tcp from any to port $tcp_services flags S/SA synproxy state pass in log on $ext_if proto { tcp, udp } from any to port $udp_services keep state pass in log on $ext_if inet proto icmp all icmp-type $icmp_types keep state pass in log quick on $ext_if proto tcp from any to any port 21 flags S/SA keep state pass out log on $ext_if proto tcp all modulate state flags S/SA pass out log on $ext_if proto { udp, icmp } all keep state pass in log on lo0 inet proto tcp from any to 127.0.0.1 port 8025 pass in log on $ext_if inet proto tcp from any to $ext_if port smtp pass out log on $ext_if proto tcp to port smtp === Then i am connecting to 127.0.0.1 from localhost: root ~ # telnet 127.0.0.1 8025 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 m And from remte host to my server to port 25: [root@remoteunixadmin] ~# telnet 212.26.132.2 25 Trying 212.26.132.2... Can't to connect. Checking simultaneously pflogs: root ~ # tcpdump -eni pflog0 dst port 8025 tcpdump: WARNING: pflog0: no IPv4 address assigned tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 96 bytes 17:19:39.787682 rule 2/0(match): pass in on igb1: 46.16.229.18.33722 > 127.0.0.1.8025: tcp 28 [bad hdr length 0 - too short, < 20] 17:19:40.877001 rule 2/0(match): pass in on igb1: 112.234.161.49.26795 > 127.0.0.1.8025: [|tcp] 17:19:41.163942 rule 2/0(match): pass in on igb1: 117.241.70.9.4183 > 127.0.0.1.8025: [|tcp] 17:19:41.366829 rule 2/0(match): pass in on igb1: 117.244.3.240.63272 > 127.0.0.1.8025: tcp 28 [bad hdr length 0 - too short, < 20] 17:19:41.629751 rule 2/0(match): pass in on igb1: 113.162.244.56.3196 > 127.0.0.1.8025: [|tcp] 17:19:42.128182 rule 2/0(match): pass in on igb1: 123.213.32.15.2554 > 127.0.0.1.8025: [|tcp] 17:19:42.387051 rule 2/0(match): pass in on igb1: 211.177.83.30.1836 > 127.0.0.1.8025: tcp 32 [bad hdr length 0 - too short, < 20] ^C 7 packets captured 67 packets received by filter 0 packets dropped by kernel So, seems like packets are redirecting but connection doesn't get to 8025 service, because spamd doesn't answer. Actually this applies not only to spamd but to any service that listens on 127.0.0.1. I've tried to bind service on my external interface and then redirection worked like a charm. Please assist what's the problem? big thanks!