Extremely simple redirect rule doesnt appear to be working

Tim Traver tt-list at simplenet.com
Sat Jul 4 07:48:32 UTC 2009


Thank you for your response.

My rules are ok, because I have no other rules than that one, and I ran 
the syntax checker on it...

I am indeed running 7.0, so I guess I could update the sources on that 
machine to 7.1 and rebuild pf.

Thanks,

Tim.


Balázs Mátéffy wrote:
> Hi there,
>
> I think you should check pfctl -sr and pfctl -sn that your rules are ok, and
> you don't deny that traffic explicitly.
>
> However, I don't want to start a war, but on a machine I experienced that
> with FreeBSD 7.0 or 7.1 the pf redirections didn't work, after a minor
> release update, the problem went away with the same ruleset! (I think it was
> 7.0 and updated to 7.1 to get it working again)
>
> But rdr pass should add the permitting access rule for your redirection
> entry.
>
> Maybe logging can help you too: http://www.openbsd.org/faq/pf/logging.html
>
> Hope this helps!
>
> Best Regards,
>
> MB.
>
>
> 2009/7/2 Tim Traver <tt-list at simplenet.com>
>
>   
>> Hi all,
>>
>> ok, I'm a little new to messing around with pf, but have come up for a need
>> that it sounds like it should be able to solve.
>>
>> I want to be able to redirect outgoing http requests from the box back to
>> local addresses on the box...
>>
>> In reading up, it appears that the redirect config line should do that, and
>> in testing, I have a simple line like this in the pf.conf
>>
>> rdr pass inet proto tcp from any to 209.131.36.158 port 80 -> [internal
>> address here] port 80
>>
>> now, I haven't made that internal address be an address on the local box
>> yet, cause I'm testing to see how this works...
>>
>> I can manually telnet to [internal address here] port 80 with no problems
>> and get the apache greeting.
>>
>> Once I turn on and load the pf.conf file (with pfctl -F all -f
>> /etc/pf.conf), and I try to telnet to 209.131.36.158 port 80 (generic
>> www.yahoo.com), I don't get redirected to the internal address port 80 and
>> get the apache greeting that is expected...
>>
>> I did turn on port forwarding as per the instructions for NAT, although it
>> didn't say if it was needed for rdr.
>>
>> net.inet.ip.forwarding=1
>>
>> in netstat, I see it trying to actually reach the ouside IP, which it cant,
>> so the translation didn't appear to take affect...
>>
>> am I missing something ?
>>
>> Thanks,
>>
>> Tim.
>>
>> _______________________________________________
>> freebsd-pf at freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
>> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"
>>
>>     
> _______________________________________________
> freebsd-pf at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"
>   


More information about the freebsd-pf mailing list