Forwarding another host

David DeSimone fox at verio.net
Thu Jan 10 19:08:27 PST 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Rodrique Heron <swygue at rodhouse.org> wrote:
>
>  INTERNET
>     |
>  PIX Firewall
>     |
>  SWITCH*---*HOSTA 192.168.2.14
>    *
>    |
>    *
>   HOSTB 192.168.2.27
> 
> ###  /etc/pf.conf
> ext_if = "em0"
> int_if = "lo0"
> 
> host_ip = " 192.168.2.14"
> jail_ip = "192.168.2.18"
> external_host = "192.168.2.27"
> 
> rdr on $ext_if proto tcp from any to $host_ip port 22 -> $external_host port 22
> rdr on $ext_if proto tcp from any to $host_ip port 26 -> $jail_ip port 22
> 
> pass in quick all
> pass out quick all


NAT is always a two-way street.  PF must not only translate packets sent
to another host, it must also receive and translate the REPLY packets
from that host.

In the scenario you paint above, HOSTB will receive packets from HOSTA,
but when generating a reply, the reply will beypass HOSTA and go
directly back to the PIX firewall.

It works in a jail because the jail is "inside" HOSTA and so all reply
traffic from the jail gets seen by HOSTA before going to the network.

Seems to me it would be easier to get the PIX firewall to send traffic
to HOSTB instead of HOSTA.  If that device is outside your control,
probably the easiest thing for you to do is set up a generic proxy, like
"redir" or similar, to copy traffic over secondary connection to HOSTB.

- -- 
David DeSimone == Network Admin == fox at verio.net
"This email message is intended for the use of the person to whom
 it has been sent, and may contain information that is confidential
 or legally protected.  If you are not the intended recipient or have
 received this message in error, you are not authorized to copy, dis-
 tribute, or otherwise use this message or its attachments.  Please
 notify the sender immediately by return e-mail and permanently delete
 this message and any attachments.  Verio, Inc. makes no warranty that
 this email is error or virus free.  Thank you."  --Lawyer Bot 6000
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFHht2qFSrKRjX5eCoRAiclAJ4o6K2FlPi2E0JzV6j8oMlAMa9ApACeNIOi
MvV4FUbvBEejzzCLhzEPpf8=
=L3iu
-----END PGP SIGNATURE-----

More information about the freebsd-pf mailing list