From owner-freebsd-questions@freebsd.org Sun Apr 17 09:22:24 2016 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id DB2EBB103FF for ; Sun, 17 Apr 2016 09:22:24 +0000 (UTC) (envelope-from idefix@fechner.net) Received: from anny.lostinspace.de (anny.lostinspace.de [IPv6:2001:608:a02::33]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id A3F321696 for ; Sun, 17 Apr 2016 09:22:24 +0000 (UTC) (envelope-from idefix@fechner.net) Received: from server.idefix.lan (aftr-88-217-181-72.dynamic.mnet-online.de [88.217.181.72]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: idefix@fechner.net) by anny.lostinspace.de (Postfix) with ESMTPSA id 6C8BC3889EC for ; Sun, 17 Apr 2016 11:22:20 +0200 (CEST) DMARC-Filter: OpenDMARC Filter v1.3.1 anny.lostinspace.de 6C8BC3889EC Authentication-Results: anny.lostinspace.de; dmarc=none header.from=fechner.net DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=fechner.net; s=default; t=1460884940; bh=UGnXH2UDnKMfgVChoIaaXuO37XXMgKNKX4fzZqjWebk=; h=To:From:Subject:Date; b=CejDKaOWROUCWAPnL/Jm3HNJSa+q0Z/j/TWtknu2cz3Q7hY/kt9DhfaZzy5kl7YBG b5rnrcdeXTnP4AgbIGG8KQy74WELwVG/nheU+XkN9Q3/qIn6/Y2MZMhNHwlBj9LxAB /R44JjIPWQXaYmVfLA9YwyXYgQZwkbwm15ypHolU= Received: from [192.168.0.151] (aftr-88-217-181-72.dynamic.mnet-online.de [88.217.181.72]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by server.idefix.lan (Postfix) with ESMTPSA id 96453252CCD for ; Sun, 17 Apr 2016 11:22:19 +0200 (CEST) To: "freebsd-questions@freebsd.org" From: Matthias Fechner Subject: Convert ipfw rule to pf Message-ID: Date: Sun, 17 Apr 2016 11:22:05 +0200 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 17 Apr 2016 09:22:25 -0000 Dear all, I use sslh to have a transparent proxy for ssh/https in place. The transparent proxy support of sslh requires ipfw rules to work. I'm not sure if sslh is doing something in the background and that is the reason why it is not working with pf. Maybe we have here a pf guru on the list that can ensure the the rule itself is correct. The ipfw rule looks like: # https ipfw add 20000 fwd 192.168.0.251,443 log tcp from 192.168.0.251 8443 to any out ipfw add 20001 fwd 192.168.200.6,443 log tcp from 192.168.200.6 8443 to any out # ssh ipfw add 20003 fwd 192.168.200.6,443 log tcp from 192.168.200.6 22 to any out In pf they look like: rdr pass log inet proto tcp from 192.168.0.251 port 8443 to any -> 192.168.0.251 port 443 rdr pass log inet proto tcp from 192.168.200.6 port 8443 to any -> 192.168.200.6 port 443 rdr pass log inet proto tcp from 192.168.200.6 port 22 to any -> 192.168.200.6 port 443 Thanks. Gruß Matthias -- "Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the universe trying to produce bigger and better idiots. So far, the universe is winning." -- Rich Cook