From owner-freebsd-pf@FreeBSD.ORG Thu May 8 11:57:53 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B407B106566C for ; Thu, 8 May 2008 11:57:53 +0000 (UTC) (envelope-from daniel@roe.ch) Received: from hobbes.ustdmz.roe.ch (hobbes.roe.ch [213.144.141.27]) by mx1.freebsd.org (Postfix) with ESMTP id 3C7638FC15 for ; Thu, 8 May 2008 11:57:53 +0000 (UTC) (envelope-from daniel@roe.ch) Received: from roe by hobbes.ustdmz.roe.ch (envelope-from ) with LOCAL id 1Ju4lT-0003cT-00 for freebsd-pf@freebsd.org; Thu, 08 May 2008 13:58:23 +0200 Date: Thu, 8 May 2008 13:58:23 +0200 From: Daniel Roethlisberger To: freebsd-pf@freebsd.org Message-ID: <20080508115823.GB7168@hobbes.ustdmz.roe.ch> Mail-Followup-To: freebsd-pf@freebsd.org References: <48222786.3050400@samoylyk.sumy.ua> <20080508085234.2cac29ca@twoflower.in.publishing.hu> <4822B459.6090307@samoylyk.sumy.ua> <20080508101252.4d25b9eb@twoflower.in.publishing.hu> <4822BB8A.8030507@samoylyk.sumy.ua> <20080508104308.702e8911@twoflower.in.publishing.hu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20080508104308.702e8911@twoflower.in.publishing.hu> User-Agent: Mutt/1.5.4i Subject: Re: iptables rule in pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 May 2008 11:57:53 -0000 CZUCZY Gergely 2008-05-08: > On Thu, 08 May 2008 11:36:26 +0300 Oleksandr Samoylyk > wrote: > > >> That iptables rule worked for any destination. > > > You cannot rewrite a packet's destination address to _any_ > > > destination. > > > > > > It's like you cannot submit a package at the post office with the > > > destination address "any". It's just meaningless. > > > > However it works with iptables. :) > > > > What can I do in my situation in order to gain the same > > functionality by means of pf or other additional daemons? > No, it doesn't. That iptables rule only affects the port number, where > it defaults to the original dst address. So it defaults to something, > where as pf doesn't. With pf you have to explicitly specify the > rewritten dst IP. > > In my first reply I've told you to read the openbsd FAQ. You haven't > done it. I _strongly_ suggest you, before doing your next reply to the > list. go and read that FAQ. Here's the URL once more, I bet you've > lost it under your desk... http://www.openbsd.org/faq/pf/ Netfilter allows to rewrite the destination port without rewriting the destination address. It would seem like that this is not possible with pf, at least not using rdr. But it is not necessary, since my.smtp.server is the only destination on port 25 that will not be dropped by the previous rule, so you can just specify my.smtp.server as destination in the rdr rule. Just in case this is about submitting mail around port 25 filters (in contrast to a fixed MTA-MTA "tunnel" on port 2525), you probably want to use SMTP AUTH on the submission port (587) to solve this problem, not just provide plain SMTP on a different port. On the submission port, authentication is mandatory, which prevents it being used by spambots to deliver mail directly to your MTA. Using submission and blocking port 25 for end-user address ranges does have anti-spam benefits. -- Daniel Roethlisberger http://daniel.roe.ch/