From owner-freebsd-stable@FreeBSD.ORG Mon Feb 8 19:48:30 2010 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C2326106568B for ; Mon, 8 Feb 2010 19:48:30 +0000 (UTC) (envelope-from st0ma@sofiahouse.net) Received: from mail-bw0-f211.google.com (mail-bw0-f211.google.com [209.85.218.211]) by mx1.freebsd.org (Postfix) with ESMTP id 5E79A8FC1A for ; Mon, 8 Feb 2010 19:48:30 +0000 (UTC) Received: by bwz3 with SMTP id 3so1005388bwz.13 for ; Mon, 08 Feb 2010 11:48:29 -0800 (PST) MIME-Version: 1.0 Received: by 10.103.80.32 with SMTP id h32mr338639mul.59.1265658509199; Mon, 08 Feb 2010 11:48:29 -0800 (PST) In-Reply-To: <147432021002051039s16c72988n95e80f2e9ede0955@mail.gmail.com> References: <331b660a1002050941y256e3343i65afe78df5eba4e5@mail.gmail.com> <147432021002051039s16c72988n95e80f2e9ede0955@mail.gmail.com> Date: Mon, 8 Feb 2010 21:48:29 +0200 Message-ID: <331b660a1002081148r572e43d1k88d18f0ef83d64b2@mail.gmail.com> From: Spas Karabelov To: Nick Rogers Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-stable@freebsd.org Subject: Re: PF Traffic Redirection issues X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Feb 2010 19:48:30 -0000 Thanks for the info Nick, I had the reflection working with PF + Inetd + NC. *in the inetd.conf I have the following:* #INTERNAL NC CONFIGURATION http stream tcp nowait root /usr/bin/nc nc -w 20 192.168.128.102 80 *in rc.conf in had to add the following to limit the proxy listening on the localhost Only:* inetd_flags="-wW -a 127.0.0.1" *the PF configuration is as follows:* TRANSLATION RULES: rdr pass on em0 inet proto tcp from any to 192.168.128.170 port = http -> 127.0.0.1 port 80 FILTER RULES: block drop log all pass in on lo0 inet6 proto tcp from any to fe80::1 port = http flags S/SA keep state pass in on lo0 inet6 proto tcp from any to ::1 port = http flags S/SA keep state pass in on lo0 inet proto tcp from any to 127.0.0.1 port = http flags S/SA keep state pass in on em0 inet proto tcp from any to 192.168.128.170 port = ssh flags S/SA keep state pass out all flags S/SA keep state Thanks for the heads up. Hope this works for someone. KR, Spas On Fri, Feb 5, 2010 at 8:39 PM, Nick Rogers wrote: > > > On Fri, Feb 5, 2010 at 9:41 AM, Spas Karabelov wrote: > >> Hello, >> >> I am trying to perform traffic redirection with PF on 7.2-RELEASE. >> The traffic is in the same subnet and I try doing that by using just one >> interface em0. > > > PF cannot redirect packets back out the interface they originated on. > > From pf.conf(5)... > > "Redirections cannot reflect packets back through the interface they arrive > on, they can only be redirected to hosts connected to different interfaces > or > to the firewall itself." >