Using 'rdr' on outbound connections

Greg Hennessy Greg.Hennessy at
Thu Sep 15 06:09:30 PDT 2005

> Not surprisingly, it blackholes everything.

The joys of a default deny. 

Add a 

 pass all on lo0 keep state

Just keep things listening there sweet. 

> # telnet -N 25
> Trying
> telnet: connect to address Operation not permitted
> telnet: Unable to connect to remote host
> # tcpdump -r /var/log/pflog
> just shows:
> 13:26:09.426570 IP > 
> S 360892497:360892497(0) win 65535 <mss 
> 1460,nop,nop,sackOK,nop,wscale1,nop,nop,timestamp 9750257 0>
> (that's it; no RST, no ICMP ADMIN-PROHIBITED)

You need to 

	set block-policy return

For that to happen. 

Now that it's caught it and we know what the specifics are.  


# assuming fxp0 and are one and the same. 

rdr pass on fxp0 proto tcp from fxp0 to !fxp0 port smtp -> port

And see does that work. 

> I'm coming to the conclusion that 'rdr' acts on an "inbound" 
> interface, i.e.
> packets arriving at the kernel, and locally-originated 
> packets don't match any interface; or something like that.

It would be rather hard to filter on userid if that was the case. 


More information about the freebsd-pf mailing list