Date: Tue, 13 Jan 2009 15:51:02 +0100 From: Max Laier <max@love2party.net> To: freebsd-pf@freebsd.org Subject: Re: rdr pass rule Message-ID: <200901131551.03193.max@love2party.net> In-Reply-To: <f63c4b2d0901121714t452d2b6ftc3ca08c7c08b6ad0@mail.gmail.com> References: <f63c4b2d0901121714t452d2b6ftc3ca08c7c08b6ad0@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tuesday 13 January 2009 02:14:50 Mitar wrote: > Hi! > > I have a system where my daemon is running on a public IP on a high > port (so that it does not need root privileges, and it is binded to a > public IP as it runs in a jail) and I would like to translate it to a > lower port. I would like that just this lower port is publicly > accessible. This can be done with: > > rdr pass on $int_untrust proto tcp from any to $addr_svc port $svc_ext > -> $addr_svc port $svc_int > > This makes only $svc_ext port accessible as $svc_int port is closed > (not opened) for traffic. > > But I would like to assign this traffic to a queue and thus I cannot > use pass option. I wanted to create a rdr rule without pass option and > a separate pass rule later on. But the problem is that, as far as I > understand, pass rules are applied after rdr, so I can set them only > on an internal port (to which I am translating public port). But then > the question is how can I open this internal port so that it is not > opened to a public, only to a traffic coming through a rdr rule? > > Is there a general way how one can transcribe rdr pass option to a > pass rule which would behave in the same way as rdr pass? The simplest way off the top of my head: Use a "rdr ... tag"-rule and "pass ... tagged" later on. -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200901131551.03193.max>