From owner-freebsd-questions@FreeBSD.ORG Wed Sep 26 15:52:02 2007 Return-Path: <owner-freebsd-questions@FreeBSD.ORG> Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1CFBF16A41A for <freebsd-questions@freebsd.org>; Wed, 26 Sep 2007 15:52:02 +0000 (UTC) (envelope-from nvass@teledomenet.gr) Received: from smtp.teledomenet.gr (smtp.teledomenet.gr [213.142.128.2]) by mx1.freebsd.org (Postfix) with ESMTP id 9816513C45D for <freebsd-questions@freebsd.org>; Wed, 26 Sep 2007 15:52:01 +0000 (UTC) (envelope-from nvass@teledomenet.gr) Received: by smtp.teledomenet.gr (Postfix, from userid 58) id 4E92014212A; Wed, 26 Sep 2007 18:52:00 +0300 (EEST) X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on smtp.teledomenet.gr X-Spam-Level: X-Spam-Status: No, score=-2.5 required=5.0 tests=BAYES_00,RDNS_NONE autolearn=no version=3.2.3 Received: from iris (unknown [192.168.1.71]) by smtp.teledomenet.gr (Postfix) with ESMTP id D188114205A; Wed, 26 Sep 2007 18:51:56 +0300 (EEST) From: Nikos Vassiliadis <nvass@teledomenet.gr> To: Jonathan Horne <freebsd@dfwlp.com> Date: Wed, 26 Sep 2007 18:48:44 +0300 User-Agent: KMail/1.9.1 References: <200709250946.58855.freebsd@dfwlp.com> <200709261610.19038.nvass@teledomenet.gr> <200709260942.23609.freebsd@dfwlp.com> In-Reply-To: <200709260942.23609.freebsd@dfwlp.com> X-NCC-RegID: gr.telehouse MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200709261848.45566.nvass@teledomenet.gr> Cc: freebsd-questions@freebsd.org Subject: Re: pf redirect question X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions <freebsd-questions.freebsd.org> List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe> List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions> List-Post: <mailto:freebsd-questions@freebsd.org> List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help> List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, <mailto:freebsd-questions-request@freebsd.org?subject=subscribe> X-List-Received-Date: Wed, 26 Sep 2007 15:52:02 -0000 On Wednesday 26 September 2007 17:42, Jonathan Horne wrote: > On Wednesday 26 September 2007 08:10:18 Nikos Vassiliadis wrote: > > Please CC me when replying to me, since I will > > see your replies in no time. Otherwise your reply > > might not be seen, since it ends up in another > > directory in my maildir. > > > > On Wednesday 26 September 2007 15:18, Jonathan Horne wrote: > > > On Wednesday 26 September 2007 02:28:48 Nikos Vassiliadis wrote: > > > > No, don't use the IP on your server. Why you should do such a > > > > thing? > > > > > > why not? i did specify that the old server is decommissioning and > > > would be permenantly downed. > > > > Because the IP you will use on the host running FreeBSD and PF has > > nothing to do with FreeBSD and PF. If you do this, you understand > > that packets will be processed locally by FreeBSD's TCP/IP stack > > and not forwarded to the new server, right? > > > > You only want PF to alter the address from old server to new server > > as I said previously. Not accept the packet as if destined for > > localhost! > > > > > > You just have to make sure that packets ($old_server <-> $world) > > > > are routed through your $pf box. I guess that's the case for you. > > > > pf will just translate the destination address from $old_server > > > > to $new_server. > > > > > > yes, any client or server would be able to route across the wan to > > > the new ip at the other end. > > > > Something like this: > > client-a client-b > > > > ( internet cloud ) > > > > (pf)--------(new-server) > > > > > > (old-server) > > > > > > BUT, which is this service you are talking about? Cause that's not > > > > feasible with everything. > > > > > > ultimately, i want to route some Mcafee ePolicy clients to use > > > another server. > > > > Yes, I know nothing about it. Is redirecting TCP port 8080 enough? > > > > [snip] > > > > > was my syntax in my example incorrect? > > > > Yes, try removing the interface, just to be more general, > > until you figure it out. Something like: > > rdr inet proto tcp from any to x.x.x.x port = ssh -> y.y.y.y port 22 > > > > And use "pfctl -vsnat" to check the state of the rdr command, like > > this: [ Evaluations: 3434 Packets: 14 Bytes: 840 > > States: 0 ] > > > > Be sure that every host involved is reachable from the pf box. > > > > Nikos > > well, the example you sent me worked... but just for a moment. as soon > as i changed it (and restarted pf, its not worked since. if im going to > get this to work, this is actually more of the diagram im working with > here: > > (pf) --- (old server) -- client-a > > (SITE-A) ---- (vpn-client-b) > > (internet-cloud) ---- (SITE-B) --- (new server) > > (SITE-C) > > (client-c) > No, you can't with such topology. Let's examine client-c: 1) client-c sends request to old-server 2) pf translates the destination from old-server to new-server 3) packet arrives to new-server 4) new-server replies to client-c, not going through pf this time though 5) client-c gets a reply from new-server. Remember, it tried to connect to old-server, not to new-server. So, change of plans... You have to use a TCP redirector, (net/redir) comes in mind. Install redir, have redir listen to a port on your lo0 and proxy this to old-server:port e.g. redir --laddr=127.0.0.1 --lport=45876 --caddr=old-server --cport=80 then use pf and rdr to redirect the old-server:port to 127.1:45876 pseudo-pf.conf: rdr inet proto tcp from any to x.x.x.x port = 80 -> 127.0.0.1 45876 That's all. > where you see SITE-x, consider that the appropricate clusters of > routers, vpn-endpoints/concentrators. client-a, old server, and pf are > same-lan, other objects are all across a wan at different subnets, but > all can reach all. ^^^^^^^^^^^^^^^^^ That's more of a problem in your situation. Hopefully not for long. Nikos