Using 'rdr' on outbound connections

Brian Candler B.Candler at pobox.com
Thu Sep 15 03:11:34 PDT 2005 

Hello,

I would like to use pf to trap all locally-originated outbound connections
to port 25 on any remote host, and redirect them to a local mailserver.

I tried:

    rdr pass proto tcp from any to any port 25 -> 127.0.0.1 port 25

but it doesn't seem to work (i.e. 'telnet mail.foo.com 25' connects as
normal)

Using other rdr rules, I can demonstrate rdr works if the connection
originates from outside the machine, or if the connection is from the
machine back to itself (e.g. telnet localhost 1234 where rdr redirects port
1234 to port 25). I just can't get connections from this machine to the
outside world to be redirected.

Is this correct? Is there a way to make it work the way I want? I am running
FreeBSD-5.4-RELEASE.

Unfortunately, for other reasons, 'ipfw' and 'ipf' won't work for me either:

(1) with ipfw and 'fwd 127.0.0.1,25' I can happily redirect all outbound
port 25 connections to the local SMTP server:

    ipfw -f flush
    ipfw add allow ip from any to any uid mailnull
    ipfw add fwd 127.0.0.1,25 tcp from any to any 25
    ipfw add allow ip from any to any

However, the local SMTP server is unable to use ident (RFC1413) to determine
the userid of the person originating the connection, probably because of the
way ipfw fwd messes with sockets so that the remote IP is treated as local.
Unfortunately, I need ident for the SMTP server to be able to identify the
sender to perform per-user accounting / rate limiting.

(2) with ipf, there is no 'user' or 'uid' matching, and I need this so that
the SMTP server itself is allowed to make outbound SMTP connections, as
shown in the ipfw rules above. Because of this, I've not tested ipf to see
if it can actually redirect the connections.

(I thought of putting the untrusted users in a jail(8) and having the
trusted SMTP server outside, bound to a different IP. But at the moment the
untrusted users are locked up using Apache mod_chroot which doesn't know
about jails; I would have to write a mod_jail)

Any suggestions for how to solve this problem gratefully received...

Thanks,

Brian Candler.

More information about the freebsd-pf mailing list