From owner-freebsd-questions@FreeBSD.ORG Wed Sep 26 13:13:36 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4B38416A417 for ; Wed, 26 Sep 2007 13:13:36 +0000 (UTC) (envelope-from nvass@teledomenet.gr) Received: from smtp.teledomenet.gr (smtp.teledomenet.gr [213.142.128.2]) by mx1.freebsd.org (Postfix) with ESMTP id F070313C459 for ; Wed, 26 Sep 2007 13:13:35 +0000 (UTC) (envelope-from nvass@teledomenet.gr) Received: by smtp.teledomenet.gr (Postfix, from userid 58) id 8582A14218E; Wed, 26 Sep 2007 16:13:34 +0300 (EEST) X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on smtp.teledomenet.gr X-Spam-Level: X-Spam-Status: No, score=-2.5 required=5.0 tests=BAYES_00,RDNS_NONE autolearn=no version=3.2.3 Received: from iris (unknown [192.168.1.71]) by smtp.teledomenet.gr (Postfix) with ESMTP id 165461420E1; Wed, 26 Sep 2007 16:13:30 +0300 (EEST) From: Nikos Vassiliadis To: freebsd-questions@freebsd.org Date: Wed, 26 Sep 2007 16:10:18 +0300 User-Agent: KMail/1.9.1 References: <200709250946.58855.freebsd@dfwlp.com> <200709261028.49258.nvass@teledomenet.gr> <200709260718.07589.freebsd@dfwlp.com> In-Reply-To: <200709260718.07589.freebsd@dfwlp.com> X-NCC-RegID: gr.telehouse MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200709261610.19038.nvass@teledomenet.gr> Cc: Jonathan Horne Subject: Re: pf redirect question X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Sep 2007 13:13:36 -0000 Please CC me when replying to me, since I will see your replies in no time. Otherwise your reply might not be seen, since it ends up in another directory in my maildir. On Wednesday 26 September 2007 15:18, Jonathan Horne wrote: > On Wednesday 26 September 2007 02:28:48 Nikos Vassiliadis wrote: > > No, don't use the IP on your server. Why you should do such a thing? > > why not? i did specify that the old server is decommissioning and would > be permenantly downed. > Because the IP you will use on the host running FreeBSD and PF has nothing to do with FreeBSD and PF. If you do this, you understand that packets will be processed locally by FreeBSD's TCP/IP stack and not forwarded to the new server, right? You only want PF to alter the address from old server to new server as I said previously. Not accept the packet as if destined for localhost! > > You just have to make sure that packets ($old_server <-> $world) > > are routed through your $pf box. I guess that's the case for you. > > pf will just translate the destination address from $old_server > > to $new_server. > > yes, any client or server would be able to route across the wan to the > new ip at the other end. Something like this: client-a client-b | | ( internet cloud ) | (pf)--------(new-server) | | (old-server) > > BUT, which is this service you are talking about? Cause that's not > > feasible with everything. > > ultimately, i want to route some Mcafee ePolicy clients to use another > server. Yes, I know nothing about it. Is redirecting TCP port 8080 enough? [snip] > was my syntax in my example incorrect? Yes, try removing the interface, just to be more general, until you figure it out. Something like: rdr inet proto tcp from any to x.x.x.x port = ssh -> y.y.y.y port 22 And use "pfctl -vsnat" to check the state of the rdr command, like this: [ Evaluations: 3434 Packets: 14 Bytes: 840 States: 0 ] Be sure that every host involved is reachable from the pf box. Nikos