Date: Wed, 26 Sep 2007 18:48:44 +0300 From: Nikos Vassiliadis <nvass@teledomenet.gr> To: Jonathan Horne <freebsd@dfwlp.com> Cc: freebsd-questions@freebsd.org Subject: Re: pf redirect question Message-ID: <200709261848.45566.nvass@teledomenet.gr> In-Reply-To: <200709260942.23609.freebsd@dfwlp.com> References: <200709250946.58855.freebsd@dfwlp.com> <200709261610.19038.nvass@teledomenet.gr> <200709260942.23609.freebsd@dfwlp.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wednesday 26 September 2007 17:42, Jonathan Horne wrote: > On Wednesday 26 September 2007 08:10:18 Nikos Vassiliadis wrote: > > Please CC me when replying to me, since I will > > see your replies in no time. Otherwise your reply > > might not be seen, since it ends up in another > > directory in my maildir. > > > > On Wednesday 26 September 2007 15:18, Jonathan Horne wrote: > > > On Wednesday 26 September 2007 02:28:48 Nikos Vassiliadis wrote: > > > > No, don't use the IP on your server. Why you should do such a > > > > thing? > > > > > > why not? i did specify that the old server is decommissioning and > > > would be permenantly downed. > > > > Because the IP you will use on the host running FreeBSD and PF has > > nothing to do with FreeBSD and PF. If you do this, you understand > > that packets will be processed locally by FreeBSD's TCP/IP stack > > and not forwarded to the new server, right? > > > > You only want PF to alter the address from old server to new server > > as I said previously. Not accept the packet as if destined for > > localhost! > > > > > > You just have to make sure that packets ($old_server <-> $world) > > > > are routed through your $pf box. I guess that's the case for you. > > > > pf will just translate the destination address from $old_server > > > > to $new_server. > > > > > > yes, any client or server would be able to route across the wan to > > > the new ip at the other end. > > > > Something like this: > > client-a client-b > > > > ( internet cloud ) > > > > (pf)--------(new-server) > > > > > > (old-server) > > > > > > BUT, which is this service you are talking about? Cause that's not > > > > feasible with everything. > > > > > > ultimately, i want to route some Mcafee ePolicy clients to use > > > another server. > > > > Yes, I know nothing about it. Is redirecting TCP port 8080 enough? > > > > [snip] > > > > > was my syntax in my example incorrect? > > > > Yes, try removing the interface, just to be more general, > > until you figure it out. Something like: > > rdr inet proto tcp from any to x.x.x.x port = ssh -> y.y.y.y port 22 > > > > And use "pfctl -vsnat" to check the state of the rdr command, like > > this: [ Evaluations: 3434 Packets: 14 Bytes: 840 > > States: 0 ] > > > > Be sure that every host involved is reachable from the pf box. > > > > Nikos > > well, the example you sent me worked... but just for a moment. as soon > as i changed it (and restarted pf, its not worked since. if im going to > get this to work, this is actually more of the diagram im working with > here: > > (pf) --- (old server) -- client-a > > (SITE-A) ---- (vpn-client-b) > > (internet-cloud) ---- (SITE-B) --- (new server) > > (SITE-C) > > (client-c) > No, you can't with such topology. Let's examine client-c: 1) client-c sends request to old-server 2) pf translates the destination from old-server to new-server 3) packet arrives to new-server 4) new-server replies to client-c, not going through pf this time though 5) client-c gets a reply from new-server. Remember, it tried to connect to old-server, not to new-server. So, change of plans... You have to use a TCP redirector, (net/redir) comes in mind. Install redir, have redir listen to a port on your lo0 and proxy this to old-server:port e.g. redir --laddr=127.0.0.1 --lport=45876 --caddr=old-server --cport=80 then use pf and rdr to redirect the old-server:port to 127.1:45876 pseudo-pf.conf: rdr inet proto tcp from any to x.x.x.x port = 80 -> 127.0.0.1 45876 That's all. > where you see SITE-x, consider that the appropricate clusters of > routers, vpn-endpoints/concentrators. client-a, old server, and pf are > same-lan, other objects are all across a wan at different subnets, but > all can reach all. ^^^^^^^^^^^^^^^^^ That's more of a problem in your situation. Hopefully not for long. Nikos
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200709261848.45566.nvass>