From owner-freebsd-net@freebsd.org Tue Jan 23 00:36:03 2018 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3DC3FEBA671 for ; Tue, 23 Jan 2018 00:36:03 +0000 (UTC) (envelope-from asomers@gmail.com) Received: from mail-lf0-x235.google.com (mail-lf0-x235.google.com [IPv6:2a00:1450:4010:c07::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id B74BF76BB9; Tue, 23 Jan 2018 00:36:02 +0000 (UTC) (envelope-from asomers@gmail.com) Received: by mail-lf0-x235.google.com with SMTP id o89so12858742lfg.10; Mon, 22 Jan 2018 16:36:02 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:from:date:message-id:subject:to; bh=M31skJPpJUcpYYvOaalbtYPvaeWJ4XRebENwrFwVY3s=; b=nVnPViBSXDkSf7BwKyrsvWfYsoTLziAbdCP87BbXuNqLUSiMBnAV0YZuW+X/1ylXkJ ub6EuUWOWa/MWCppty5pGRSzyQr3hxDzBxQVNz8xV1a+HATUTf/TaAKh4aCUUy8B24Oa QQpAdauhWH9d0QZP1jip99f+hOsQZ5qunuo+/C9dkUV9Fo9XWO1Fo65pP61wugczXlBu vGbz9Egjj8t7W+VzakpigRFJ6Y2tsRknrYwR4aM03k4WYiLZlqAqIzDQX7NAVo9HPcrj Dk7jrg6evCnql/M0Y3SNsZxHfXCBqVOqkagmVA+QE3X+UfKtLWKSBVSSmrxE7z78aAcq 9NBw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:from:date:message-id:subject :to; bh=M31skJPpJUcpYYvOaalbtYPvaeWJ4XRebENwrFwVY3s=; b=YT8a2tPJNIo8WVo69b8DXSl3Z+JT7RW4SEhE90vrGTob0gGuuJjQH+/YSSXIoi75pJ 8WkilQDWFeJgG3aevjObXUZzMAJi8ney97rQSlca1KnLuU2RMO+GFkhDrDtcvkZP8FTz om6cZh7HIhxmN3Qm4JvEpPdyatEVUlWJzjHswLgIG+qPn1Zd760x8yI4vD+/4gwoZw+c hMhlpR1/lS8WyncVapOecmiV8aFsw4xb/ywsnDy7mj677DayFuUWGbM+/0HX6twPoMu1 HFwAcc4AGsY6r9H4BeZNAiW34GGcsj53Ywp9Iv+iidqw4K7kA+g1zw6shQRoCShOvXFa UkZg== X-Gm-Message-State: AKwxytemMRJtiDo/qjMepiY0zX20hRJxK4y2kyL7dsQum/mCn3pO9FNr 1lJZ7vh1ph2g+Oc1gP3TA61+2luf3yYjeNWgO8EnSg== X-Google-Smtp-Source: AH8x2249wxSilVncoSrBFfrWfrW3QtJoSyDSdugAMdU36SH1Sj5vC49EgxUlGGHusqWmYsiLElZtXXmqb9kjwZDmo1M= X-Received: by 10.25.225.215 with SMTP id l84mr290216lfk.110.1516667760329; Mon, 22 Jan 2018 16:36:00 -0800 (PST) MIME-Version: 1.0 Sender: asomers@gmail.com Received: by 10.179.87.131 with HTTP; Mon, 22 Jan 2018 16:35:59 -0800 (PST) From: Alan Somers Date: Mon, 22 Jan 2018 17:35:59 -0700 X-Google-Sender-Auth: emnvWY-KKnzy-k9jCwBU9skkNpo Message-ID: Subject: pf: redirect a packet's port but not its address? To: FreeBSD Net , Kristof Provost Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.25 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Jan 2018 00:36:03 -0000 I'm using pf with rules like the following: rdr inet proto tcp from any to any port 80 -> localhost port 8080 rdr inet6 proto tcp from any to any port 80 -> ::1 port 8080 It works for IPv4. But for IPv6 it fails because the redirected packet violates IPv6's scoping rules. I've got a patch to hack around that, but it's a hack. There are three things wrong with the concept of both of these rules: 1) They both violate scoping rules. Even with IPv4, 127.0.0.1 isn't supposed to receive packets from outside the local machine. However, r73626 and r125785 hack around that. 2) They violate a security expectation. Some daemons are bound to localhost specifically so that they can't communicate with the outside world. But this expectation is violated by the above pf rules. 3) They don't work on multihomed hosts. They work fine for LAN traffic, but when a daemon's reply requires routing, it doesn't know which source address to use. It will try to use the default route, but that may be different than the IP address on which the packet arrived. pf won't be able to translate the reply's source address, and won't be able to send the packet out of the correct interface. All of these problems could be solved if pf were able to redirect a packet's destination port but not its address. You could bind the daemon to INADDR_ANY instead of localhost, and the packet it receives would be destined to the same address that the sender intended. Unfortunately, pf currently lacks this capability. But it looks like it could be added without breaking existing pf.conf syntax. Would this be a good idea? I don't use ipfw, but from reading the man page I believe that it has the same problem. -Alan