From owner-freebsd-pf@FreeBSD.ORG  Mon Mar  4 20:54:10 2013
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115])
 by hub.freebsd.org (Postfix) with ESMTP id 32DC842E
 for <freebsd-pf@freebsd.org>; Mon,  4 Mar 2013 20:54:10 +0000 (UTC)
 (envelope-from cyberleo@cyberleo.net)
Received: from paka.cyberleo.net (mtumishi.cyberleo.net [216.226.128.201])
 by mx1.freebsd.org (Postfix) with ESMTP id 0B524144F
 for <freebsd-pf@freebsd.org>; Mon,  4 Mar 2013 20:54:09 +0000 (UTC)
Received: from [172.16.44.4] (den.cyberleo.net [216.80.73.130])
 by paka.cyberleo.net (Postfix) with ESMTPSA id 488251262F1;
 Mon,  4 Mar 2013 15:45:53 -0500 (EST)
Message-ID: <51350800.2070803@cyberleo.net>
Date: Mon, 04 Mar 2013 14:45:52 -0600
From: CyberLeo Kitsana <cyberleo@cyberleo.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64;
 rv:17.0) Gecko/20130228 Thunderbird/17.0.2
MIME-Version: 1.0
To: Robert Simmons <rsimmons0@gmail.com>
Subject: Re: Using pf and Tor DNS port
References: <CA+QLa9D9a=3XLtJKTiwi+9D_2b=Vgn7P+3ApD_R9x+jbnCrrhg@mail.gmail.com>
In-Reply-To: <CA+QLa9D9a=3XLtJKTiwi+9D_2b=Vgn7P+3ApD_R9x+jbnCrrhg@mail.gmail.com>
X-Enigmail-Version: 1.5
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Cc: freebsd-pf@freebsd.org
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
 \(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Mar 2013 20:54:10 -0000

On 03/03/2013 04:47 PM, Robert Simmons wrote:
> I am having problems setting up Tor's DNSPort using pf.  In FreeBSD
> 8.x I was able to just run Tor with the "DNSPort 53" config file
> option with no problems.  Now, with 9.1, when I run it with that
> option, I get a permission denied error when trying to bind port 53 on
> localhost.  I assume this is from tighter reserved port restrictions:
> now you must be root.  Running Tor as root is not recommended, so I'm
> trying to forward all traffic from localhost port 53 to port 9053
> where I have Tor configured to listen now.
> 
> I created a second loopback like so:
> ifconfig lo1 create up 127.0.0.2
> 
> I added the following two rules:
> rdr pass on lo1 inet proto udp to port domain -> 127.0.0.1 port 9053
> pass out quick route-to lo1 inet proto udp to port domain keep state
> 
> The above is not working.  Any suggestions?

I'm pretty sure any traffic that both originates and targets addresses
on the same machine will pass over lo0, regardless of which interface
possesses the addresses.  Try attaching your rdr rule to lo0 instead?

-- 
Fuzzy love,
-CyberLeo
Technical Administrator
CyberLeo.Net Webhosting
http://www.CyberLeo.Net
<CyberLeo@CyberLeo.Net>

Furry Peace! - http://wwww.fur.com/peace/