From owner-freebsd-pf@FreeBSD.ORG Fri Jan 6 14:21:08 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4FF871065672 for ; Fri, 6 Jan 2012 14:21:08 +0000 (UTC) (envelope-from gmnt99@gmail.com) Received: from mail-yw0-f54.google.com (mail-yw0-f54.google.com [209.85.213.54]) by mx1.freebsd.org (Postfix) with ESMTP id 0C4018FC18 for ; Fri, 6 Jan 2012 14:21:07 +0000 (UTC) Received: by yhfq46 with SMTP id q46so685438yhf.13 for ; Fri, 06 Jan 2012 06:21:07 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=rrSlID//veRA74QbLKz6MjAcfM8+Uw9RaCTHRWuO0f8=; b=tTWbePJfAgRB0xXbke5MCD0RRR0naR2lA8vbF5OBf6LHwe+shSFdg81ANUFOg4BV6a zB4nPPmn3eWD12yv80+k4meOPJ0EqilqXNf8zGqBWzcm2JYzCArD+pkzQcCG0cdVm9F+ uskPCa5zn3VgyIj04r13onXXkUVoHOsgpjuj8= MIME-Version: 1.0 Received: by 10.236.145.230 with SMTP id p66mr7209261yhj.27.1325859667376; Fri, 06 Jan 2012 06:21:07 -0800 (PST) Received: by 10.100.88.15 with HTTP; Fri, 6 Jan 2012 06:21:07 -0800 (PST) In-Reply-To: <20120106074225.GA24312@insomnia.benzedrine.cx> References: <20120106074225.GA24312@insomnia.benzedrine.cx> Date: Fri, 6 Jan 2012 14:21:07 +0000 Message-ID: From: Gerald McNulty To: Daniel Hartmeier Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-pf@freebsd.org Subject: Re: Basic transparent filtering with pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Jan 2012 14:21:08 -0000 Hello Daniel, That does seem to be similar to the issue I'm seeing, but sadly there was no solution there for pf and I was unable to get the ipfw psuedo configuration to work with pf. Re-routing to the loopback address as you suggest does not allow the TCP handshake to complete. I tried using "synproxy state", also to no avail. I don't understand how rerouting the the loopback address would solve this. There are 2 steps here - first the TCP handshake needs to be completed and then the kernel/pf needs to pass the packets to the correct socket. How is this supposed to work in pf? Or is this hidden/implicit in certain rule definitions? Thanks for looking at this. -- Gerald McNulty On Fri, Jan 6, 2012 at 7:42 AM, Daniel Hartmeier wrote: > On Fri, Jan 06, 2012 at 02:51:07AM +0000, Gerald McNulty wrote: > > > Is this something that requires further pf rules? Or something in the C > > code? > > I think you're describing > > http://lists.freebsd.org/pipermail/freebsd-net/2011-March/028225.html > > With pf, you could try to reroute the replies to the loopback interface: > > pass out on $ext_if reply-to lo0 inet proto tcp user {uid} keep state > > Maybe first start by matching on a specific IP (e.g. 100.100.100.5) instead > of the uid, as a test. > > HTH, > Daniel >