iptables rule in pf
Daniel Roethlisberger
daniel at roe.ch
Thu May 8 11:57:53 UTC 2008
CZUCZY Gergely <gergely.czuczy at harmless.hu> 2008-05-08:
> On Thu, 08 May 2008 11:36:26 +0300 Oleksandr Samoylyk
> <oleksandr at samoylyk.sumy.ua> wrote:
> > >> That iptables rule worked for any destination.
> > > You cannot rewrite a packet's destination address to _any_
> > > destination.
> > >
> > > It's like you cannot submit a package at the post office with the
> > > destination address "any". It's just meaningless.
> >
> > However it works with iptables. :)
> >
> > What can I do in my situation in order to gain the same
> > functionality by means of pf or other additional daemons?
> No, it doesn't. That iptables rule only affects the port number, where
> it defaults to the original dst address. So it defaults to something,
> where as pf doesn't. With pf you have to explicitly specify the
> rewritten dst IP.
>
> In my first reply I've told you to read the openbsd FAQ. You haven't
> done it. I _strongly_ suggest you, before doing your next reply to the
> list. go and read that FAQ. Here's the URL once more, I bet you've
> lost it under your desk... http://www.openbsd.org/faq/pf/
Netfilter allows to rewrite the destination port without rewriting the
destination address. It would seem like that this is not possible with
pf, at least not using rdr. But it is not necessary, since
my.smtp.server is the only destination on port 25 that will not be
dropped by the previous rule, so you can just specify my.smtp.server as
destination in the rdr rule.
Just in case this is about submitting mail around port 25 filters (in
contrast to a fixed MTA-MTA "tunnel" on port 2525), you probably want to
use SMTP AUTH on the submission port (587) to solve this problem, not
just provide plain SMTP on a different port. On the submission port,
authentication is mandatory, which prevents it being used by spambots to
deliver mail directly to your MTA. Using submission and blocking port
25 for end-user address ranges does have anti-spam benefits.
--
Daniel Roethlisberger
http://daniel.roe.ch/
More information about the freebsd-pf
mailing list