Using 'rdr' on outbound connections
B.Candler at pobox.com
Thu Sep 15 05:33:44 PDT 2005
On Thu, Sep 15, 2005 at 01:16:19PM +0100, Greg Hennessy wrote:
> It could do,
> Make the 1st line of the policy
> block log all
> And see what it catches.
rdr pass proto tcp from any to any port 25 -> 127.0.0.1 port 25
rdr pass on lo0 proto tcp from any to any port 25 -> 127.0.0.1 port 25
rdr pass on fxp0 proto tcp from any to any port 25 -> 127.0.0.1 port 25
block log all
Not surprisingly, it blackholes everything.
# telnet -N 220.127.116.11 25
telnet: connect to address 18.104.22.168: Operation not permitted
telnet: Unable to connect to remote host
# tcpdump -r /var/log/pflog
13:26:09.426570 IP bloodhound.noc.clara.net.57393 > rip.psg.com.smtp: S 360892497:360892497(0) win 65535 <mss 1460,nop,nop,sackOK,nop,wscale1,nop,nop,timestamp 9750257 0>
(that's it; no RST, no ICMP ADMIN-PROHIBITED)
I'm coming to the conclusion that 'rdr' acts on an "inbound" interface, i.e.
packets arriving at the kernel, and locally-originated packets don't match
any interface; or something like that.
But I was hoping there would be someone on the list who has a reasonably
deep knowledge of the 'pf' code and could explain whether what I want to do
is not possible, or if it is, how to do it.
More information about the freebsd-pf