From owner-freebsd-pf@FreeBSD.ORG Thu Sep 15 10:11:34 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4B63A16A41F for ; Thu, 15 Sep 2005 10:11:34 +0000 (GMT) (envelope-from b.candler@pobox.com) Received: from orb.pobox.com (orb.pobox.com [207.8.226.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id D586943D48 for ; Thu, 15 Sep 2005 10:11:33 +0000 (GMT) (envelope-from b.candler@pobox.com) Received: from orb (localhost [127.0.0.1]) by orb.pobox.com (Postfix) with ESMTP id CE6F0344D for ; Thu, 15 Sep 2005 06:11:54 -0400 (EDT) Received: from billdog.local.linnet.org (dsl-212-74-113-66.access.uk.tiscali.com [212.74.113.66]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by orb.sasl.smtp.pobox.com (Postfix) with ESMTP id A216987 for ; Thu, 15 Sep 2005 06:11:54 -0400 (EDT) Received: from brian by billdog.local.linnet.org with local (Exim 4.50 (FreeBSD)) id 1EFqlQ-0000EZ-H8 for freebsd-pf@freebsd.org; Thu, 15 Sep 2005 11:14:44 +0100 Date: Thu, 15 Sep 2005 11:14:44 +0100 From: Brian Candler To: freebsd-pf@freebsd.org Message-ID: <20050915101444.GA836@uk.tiscali.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.2.1i Subject: Using 'rdr' on outbound connections X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Sep 2005 10:11:34 -0000 Hello, I would like to use pf to trap all locally-originated outbound connections to port 25 on any remote host, and redirect them to a local mailserver. I tried: rdr pass proto tcp from any to any port 25 -> 127.0.0.1 port 25 but it doesn't seem to work (i.e. 'telnet mail.foo.com 25' connects as normal) Using other rdr rules, I can demonstrate rdr works if the connection originates from outside the machine, or if the connection is from the machine back to itself (e.g. telnet localhost 1234 where rdr redirects port 1234 to port 25). I just can't get connections from this machine to the outside world to be redirected. Is this correct? Is there a way to make it work the way I want? I am running FreeBSD-5.4-RELEASE. Unfortunately, for other reasons, 'ipfw' and 'ipf' won't work for me either: (1) with ipfw and 'fwd 127.0.0.1,25' I can happily redirect all outbound port 25 connections to the local SMTP server: ipfw -f flush ipfw add allow ip from any to any uid mailnull ipfw add fwd 127.0.0.1,25 tcp from any to any 25 ipfw add allow ip from any to any However, the local SMTP server is unable to use ident (RFC1413) to determine the userid of the person originating the connection, probably because of the way ipfw fwd messes with sockets so that the remote IP is treated as local. Unfortunately, I need ident for the SMTP server to be able to identify the sender to perform per-user accounting / rate limiting. (2) with ipf, there is no 'user' or 'uid' matching, and I need this so that the SMTP server itself is allowed to make outbound SMTP connections, as shown in the ipfw rules above. Because of this, I've not tested ipf to see if it can actually redirect the connections. (I thought of putting the untrusted users in a jail(8) and having the trusted SMTP server outside, bound to a different IP. But at the moment the untrusted users are locked up using Apache mod_chroot which doesn't know about jails; I would have to write a mod_jail) Any suggestions for how to solve this problem gratefully received... Thanks, Brian Candler.