rdr pass rule
Max Laier
max at love2party.net
Tue Jan 13 06:51:06 PST 2009
On Tuesday 13 January 2009 02:14:50 Mitar wrote:
> Hi!
>
> I have a system where my daemon is running on a public IP on a high
> port (so that it does not need root privileges, and it is binded to a
> public IP as it runs in a jail) and I would like to translate it to a
> lower port. I would like that just this lower port is publicly
> accessible. This can be done with:
>
> rdr pass on $int_untrust proto tcp from any to $addr_svc port $svc_ext
> -> $addr_svc port $svc_int
>
> This makes only $svc_ext port accessible as $svc_int port is closed
> (not opened) for traffic.
>
> But I would like to assign this traffic to a queue and thus I cannot
> use pass option. I wanted to create a rdr rule without pass option and
> a separate pass rule later on. But the problem is that, as far as I
> understand, pass rules are applied after rdr, so I can set them only
> on an internal port (to which I am translating public port). But then
> the question is how can I open this internal port so that it is not
> opened to a public, only to a traffic coming through a rdr rule?
>
> Is there a general way how one can transcribe rdr pass option to a
> pass rule which would behave in the same way as rdr pass?
The simplest way off the top of my head: Use a "rdr ... tag"-rule and "pass
... tagged" later on.
--
/"\ Best regards, | mlaier at freebsd.org
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | mlaier at EFnet
/ \ ASCII Ribbon Campaign | Against HTML Mail and News
More information about the freebsd-pf
mailing list