From owner-freebsd-pf@FreeBSD.ORG Thu Sep 15 12:33:44 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B329716A41F for ; Thu, 15 Sep 2005 12:33:44 +0000 (GMT) (envelope-from b.candler@pobox.com) Received: from orb.pobox.com (orb.pobox.com [207.8.226.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5E03943D48 for ; Thu, 15 Sep 2005 12:33:44 +0000 (GMT) (envelope-from b.candler@pobox.com) Received: from orb (localhost [127.0.0.1]) by orb.pobox.com (Postfix) with ESMTP id 74B22348D; Thu, 15 Sep 2005 08:34:05 -0400 (EDT) Received: from billdog.local.linnet.org (dsl-212-74-113-66.access.uk.tiscali.com [212.74.113.66]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by orb.sasl.smtp.pobox.com (Postfix) with ESMTP id F264F8A; Thu, 15 Sep 2005 08:34:03 -0400 (EDT) Received: from brian by billdog.local.linnet.org with local (Exim 4.50 (FreeBSD)) id 1EFsz0-0000Lj-Ng; Thu, 15 Sep 2005 13:36:54 +0100 Date: Thu, 15 Sep 2005 13:36:54 +0100 From: Brian Candler To: Greg Hennessy Message-ID: <20050915123654.GA1315@uk.tiscali.com> References: <20050915120749.GA1235@uk.tiscali.com> <20050915121619.68C874D@gw2.local.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20050915121619.68C874D@gw2.local.net> User-Agent: Mutt/1.4.2.1i Cc: freebsd-pf@freebsd.org Subject: Re: Using 'rdr' on outbound connections X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Sep 2005 12:33:44 -0000 On Thu, Sep 15, 2005 at 01:16:19PM +0100, Greg Hennessy wrote: > It could do, > > Make the 1st line of the policy > > block log all > > > And see what it catches. /etc/pf.conf now: rdr pass proto tcp from any to any port 25 -> 127.0.0.1 port 25 rdr pass on lo0 proto tcp from any to any port 25 -> 127.0.0.1 port 25 rdr pass on fxp0 proto tcp from any to any port 25 -> 127.0.0.1 port 25 block log all Not surprisingly, it blackholes everything. # telnet -N 147.28.0.39 25 Trying 147.28.0.39... telnet: connect to address 147.28.0.39: Operation not permitted telnet: Unable to connect to remote host # tcpdump -r /var/log/pflog just shows: 13:26:09.426570 IP bloodhound.noc.clara.net.57393 > rip.psg.com.smtp: S 360892497:360892497(0) win 65535 (that's it; no RST, no ICMP ADMIN-PROHIBITED) I'm coming to the conclusion that 'rdr' acts on an "inbound" interface, i.e. packets arriving at the kernel, and locally-originated packets don't match any interface; or something like that. But I was hoping there would be someone on the list who has a reasonably deep knowledge of the 'pf' code and could explain whether what I want to do is not possible, or if it is, how to do it. Thanks, Brian.