Using 'rdr' on outbound connections
Greg.Hennessy at nviz.net
Thu Sep 15 06:09:30 PDT 2005
> Not surprisingly, it blackholes everything.
The joys of a default deny.
pass all on lo0 keep state
Just keep things listening there sweet.
> # telnet -N 184.108.40.206 25
> Trying 220.127.116.11...
> telnet: connect to address 18.104.22.168: Operation not permitted
> telnet: Unable to connect to remote host
> # tcpdump -r /var/log/pflog
> just shows:
> 13:26:09.426570 IP bloodhound.noc.clara.net.57393 >
> rip.psg.com.smtp: S 360892497:360892497(0) win 65535 <mss
> 1460,nop,nop,sackOK,nop,wscale1,nop,nop,timestamp 9750257 0>
> (that's it; no RST, no ICMP ADMIN-PROHIBITED)
You need to
set block-policy return
For that to happen.
Now that it's caught it and we know what the specifics are.
# assuming fxp0 and bloodhound.noc.clara.net are one and the same.
rdr pass on fxp0 proto tcp from fxp0 to !fxp0 port smtp -> 127.0.0.1 port
And see does that work.
> I'm coming to the conclusion that 'rdr' acts on an "inbound"
> interface, i.e.
> packets arriving at the kernel, and locally-originated
> packets don't match any interface; or something like that.
It would be rather hard to filter on userid if that was the case.
More information about the freebsd-pf