From owner-freebsd-pf@FreeBSD.ORG Sat Jul 15 14:42:37 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7A11116A4DF for ; Sat, 15 Jul 2006 14:42:37 +0000 (UTC) (envelope-from solinym@gmail.com) Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.182]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0CEE743D45 for ; Sat, 15 Jul 2006 14:42:36 +0000 (GMT) (envelope-from solinym@gmail.com) Received: by py-out-1112.google.com with SMTP id c59so987052pyc for ; Sat, 15 Jul 2006 07:42:36 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=DoZN+bmnQ/spnlIFExLX/O0zTu73g/3qSkoCx4n35+IiAGGz9Yme+r1RqtzmerxaY5EZOJJpBrZEHoXCQafQo1tTVDA2vgC35PCJAogTTl7+7OMdeSgEie+4RvADrt+eN/nw0y5M8UCHrG9Yy4Fgpuc0aOlAc1Wjk6beDFBMEMk= Received: by 10.35.93.15 with SMTP id v15mr1031300pyl; Sat, 15 Jul 2006 07:42:36 -0700 (PDT) Received: by 10.35.34.3 with HTTP; Sat, 15 Jul 2006 07:42:36 -0700 (PDT) Message-ID: Date: Sat, 15 Jul 2006 09:42:36 -0500 From: "Travis H." To: "Christian Meutes" In-Reply-To: <44B8F827.5000602@de.clara.net> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <44B8F827.5000602@de.clara.net> Cc: freebsd-pf@freebsd.org Subject: Re: RDR for locally generated traffic X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 15 Jul 2006 14:42:37 -0000 On 7/15/06, Christian Meutes wrote: > I have used a simple RDR rule for accomplishing this: > "rdr pass on fxp0 proto tcp from $server_ip to 1.1.1.1 port 25 -> 2.2.2.2 > ... but without any success. > When tcpdumping on fxp0 to check what is happening, I recognized that > the packets are > pushed untouched outside of fxp0 with the original IP address (1.1.1.1), > so no rewriting was happening. Yes, rdr actually gets performed on inbound packets only. Conversely, nat gets performed on outbound only. You cannot DNAT in outbound, nor can you SNAT on inbound. I have been asking for the symmetric cases on the OpenBSD pf list, and it's on my "to do one day" list, but I have no idea when that will become the top priority (maybe never). As I understand it, this limitation has to do with the way the TCP/IP stack works in BSD, particularly vis-a-vis routing. You will note we don't have an equivalent to the PREROUTING chain, either. What I'd like to see is a real virtual machine designed for packet filtering (similar to BPF), and we compile the rules into VM instructions, and could support multiple source languages if so desired. This would give a lot more flexibility, and could lead to substantial innovations in firewalling (for example, doing stream reassembly to support variable-length re-writes, checking layer 7 data for stateful filtering (think DHCP and DNS), and doing extremely sophisticated state management). Plus, we could leverage all the optimizations that compiler designers have learned over the last 30 years. Well, it all comes down to code time. Feel free to beat me to this one :-) -- ``I am not a pessimist. To perceive evil where it exists is, in my opinion, a form of optimism.'' -- Roberto Rossellini http://www.lightconsulting.com/~travis/ -><- GPG fingerprint: 9D3F 395A DAC5 5CCC 9066 151D 0A6B 4098 0C55 1484