From owner-freebsd-pf@FreeBSD.ORG Fri Jul 3 10:13:03 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 05371106564A for ; Fri, 3 Jul 2009 10:13:03 +0000 (UTC) (envelope-from repcsike@gmail.com) Received: from ey-out-2122.google.com (ey-out-2122.google.com [74.125.78.25]) by mx1.freebsd.org (Postfix) with ESMTP id 82FE08FC1B for ; Fri, 3 Jul 2009 10:13:02 +0000 (UTC) (envelope-from repcsike@gmail.com) Received: by ey-out-2122.google.com with SMTP id 9so556517eyd.3 for ; Fri, 03 Jul 2009 03:13:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:content-type; bh=TJxd1u/fOkKkykABWiGp9Z7UhadHuVMragnLOnWJzoo=; b=p6/oxqonyV5/Cs+5ydeY4B/Ks3B9ph4waoA8Jw5OHitdaRnd1roY57YIum+JQ2S/lC VSMMhrKYhx+jAW+Yw+xGg/Hzv9SYZlAlZPh82Wd3q2GsxtDzft6dzcbFsRl1D7HzCwDZ 6QInyRD0euNYRojC204lJt0K3szxinHOTxxrM= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; b=nUQgVP/xbVbMwR4AIdIYq8/H+06xP84Ly6+tH+SfHQndRpcsr6rbL5On4hwiwL5CZ0 zX2MiX3hGQ4B6mZwmmwkmf15Wm5KTEpZMp82c7rcJoSxSCwQWRR1FKuRgEnX5TdsMdzK oa0P18f+VknVYmSetKOW4kX7VDLQk7mMnSwzQ= MIME-Version: 1.0 Received: by 10.210.54.9 with SMTP id c9mr954278eba.35.1246615981305; Fri, 03 Jul 2009 03:13:01 -0700 (PDT) In-Reply-To: <4A4D2010.4020908@simplenet.com> References: <4A4D2010.4020908@simplenet.com> Date: Fri, 3 Jul 2009 12:13:01 +0200 Message-ID: From: =?ISO-8859-1?B?QmFs4XpzIE3hdOlmZnk=?= To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Re: Extremely simple redirect rule doesnt appear to be working X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Jul 2009 10:13:03 -0000 Hi there, I think you should check pfctl -sr and pfctl -sn that your rules are ok, and you don't deny that traffic explicitly. However, I don't want to start a war, but on a machine I experienced that with FreeBSD 7.0 or 7.1 the pf redirections didn't work, after a minor release update, the problem went away with the same ruleset! (I think it was 7.0 and updated to 7.1 to get it working again) But rdr pass should add the permitting access rule for your redirection entry. Maybe logging can help you too: http://www.openbsd.org/faq/pf/logging.html Hope this helps! Best Regards, MB. 2009/7/2 Tim Traver > Hi all, > > ok, I'm a little new to messing around with pf, but have come up for a need > that it sounds like it should be able to solve. > > I want to be able to redirect outgoing http requests from the box back to > local addresses on the box... > > In reading up, it appears that the redirect config line should do that, and > in testing, I have a simple line like this in the pf.conf > > rdr pass inet proto tcp from any to 209.131.36.158 port 80 -> [internal > address here] port 80 > > now, I haven't made that internal address be an address on the local box > yet, cause I'm testing to see how this works... > > I can manually telnet to [internal address here] port 80 with no problems > and get the apache greeting. > > Once I turn on and load the pf.conf file (with pfctl -F all -f > /etc/pf.conf), and I try to telnet to 209.131.36.158 port 80 (generic > www.yahoo.com), I don't get redirected to the internal address port 80 and > get the apache greeting that is expected... > > I did turn on port forwarding as per the instructions for NAT, although it > didn't say if it was needed for rdr. > > net.inet.ip.forwarding=1 > > in netstat, I see it trying to actually reach the ouside IP, which it cant, > so the translation didn't appear to take affect... > > am I missing something ? > > Thanks, > > Tim. > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >