From owner-freebsd-pf@FreeBSD.ORG  Thu Sep 15 16:48:51 2005
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 4E40516A41F
	for <freebsd-pf@freebsd.org>; Thu, 15 Sep 2005 16:48:51 +0000 (GMT)
	(envelope-from b.candler@pobox.com)
Received: from leto.uk.clara.net (leto.uk.clara.net [80.168.69.50])
	by mx1.FreeBSD.org (Postfix) with ESMTP id E4B1C43D46
	for <freebsd-pf@freebsd.org>; Thu, 15 Sep 2005 16:48:50 +0000 (GMT)
	(envelope-from b.candler@pobox.com)
Received: from bloodhound.noc.clara.net ([195.8.70.207])
	by leto.uk.clara.net with esmtp (Exim 4.43)
	id 1EFwun-000Ntx-PI; Thu, 15 Sep 2005 17:48:49 +0100
Received: from personal by bloodhound.noc.clara.net with local (Exim 4.52
	(FreeBSD)) id 1EFwuF-0009Oh-C6; Thu, 15 Sep 2005 17:48:15 +0100
Date: Thu, 15 Sep 2005 17:48:15 +0100
From: Brian Candler <B.Candler@pobox.com>
To: Greg Hennessy <Greg.Hennessy@nviz.net>
Message-ID: <20050915164815.GA33032@uk.tiscali.com>
References: <200509151551.24419.max@love2party.net>
	<20050915135554.767714D@gw2.local.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20050915135554.767714D@gw2.local.net>
User-Agent: Mutt/1.4.2.1i
Cc: freebsd-pf@freebsd.org
Subject: Re: Using 'rdr' on outbound connections
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Sep 2005 16:48:51 -0000

On Thu, Sep 15, 2005 at 02:55:54PM +0100, Greg Hennessy wrote:
> > here: http://mniam.net/pf/pf.png  To work around this you can 
> > install a route-to rule to loop the packet:
> > 
> > pass out route-to (lo0 127.0.0.1) proto tcp from any to any port 25

Works nicely:

    rdr pass proto tcp from any to any port 25 -> 127.0.0.1 port 25
    pass out route-to (lo0 127.0.0.1) proto tcp from any to any port 25 user != mailnull

redirects the traffic. But as you say, the ident information is then lost
(ERROR : NO-USER). It looks very strange on a tcpdump, seeing ident packets
going from 127.0.0.1 to a real IP address and back again :-)

But with the magic of oidentd:

    # /usr/local/sbin/oidentd -P 127.0.0.1 -u nobody -g nogroup

and hey presto it works. Many thanks!

Regards,

Brian.