RDR for locally generated traffic
Travis H.
solinym at gmail.com
Sat Jul 15 14:42:37 UTC 2006
On 7/15/06, Christian Meutes <christian at de.clara.net> wrote:
> I have used a simple RDR rule for accomplishing this:
> "rdr pass on fxp0 proto tcp from $server_ip to 1.1.1.1 port 25 -> 2.2.2.2
> ... but without any success.
> When tcpdumping on fxp0 to check what is happening, I recognized that
> the packets are
> pushed untouched outside of fxp0 with the original IP address (1.1.1.1),
> so no rewriting was happening.
Yes, rdr actually gets performed on inbound packets only. Conversely,
nat gets performed on outbound only.
You cannot DNAT in outbound, nor can you SNAT on inbound. I have been
asking for the symmetric cases on the OpenBSD pf list, and it's on my
"to do one day" list, but I have no idea when that will become the top
priority (maybe never).
As I understand it, this limitation has to do with the way the TCP/IP
stack works in BSD, particularly vis-a-vis routing. You will note we
don't have an equivalent to the PREROUTING chain, either.
What I'd like to see is a real virtual machine designed for packet
filtering (similar to BPF), and we compile the rules into VM
instructions, and could support multiple source languages if so
desired. This would give a lot more flexibility, and could lead to
substantial innovations in firewalling (for example, doing stream
reassembly to support variable-length re-writes, checking layer 7 data
for stateful filtering (think DHCP and DNS), and doing extremely
sophisticated state management). Plus, we could leverage all the
optimizations that compiler designers have learned over the last 30
years.
Well, it all comes down to code time. Feel free to beat me to this one :-)
--
``I am not a pessimist. To perceive evil where it exists is, in my
opinion, a form of optimism.'' -- Roberto Rossellini
http://www.lightconsulting.com/~travis/ -><-
GPG fingerprint: 9D3F 395A DAC5 5CCC 9066 151D 0A6B 4098 0C55 1484
More information about the freebsd-pf
mailing list