Extremely simple redirect rule doesnt appear to be working
Ronnel P. Maglasang
rmaglasang at infoweapons.com
Mon Jul 6 06:20:59 UTC 2009
Tim Traver wrote:
>
>
> Chris Buechler wrote:
>> On Mon, Jul 6, 2009 at 1:28 AM, Tim Traver<tt-list at simplenet.com> wrote:
>>
>>> Thanks for responding. I am indeed testing this from within the same
>>> machine, as I need the redirection to take place when attempting to
>>> make
>>> requests FROM the machine to an outside source.
>>>
>>> Is there not a way to do that with pf ???
>>>
>>>
>>
>> There are multiple options, see:
>> http://www.openbsd.org/faq/pf/rdr.html
>>
>
> Chris,
>
> yes, that is where I originally got all of the information, and made
> my original post with my redirection line in the pf.conf that does not
> appear to be doing anything. I couldn't figure out why, hence the post
> here.
>
> Here is a copy of the original post if you think you might have any
> insight...
>
> Hi all,
>
> ok, I'm a little new to messing around with pf, but have come up for a
> need that it sounds like it should be able to solve.
>
> I want to be able to redirect outgoing http requests from the box back
> to local addresses on the box...
>
> In reading up, it appears that the redirect config line should do
> that, and in testing, I have a simple line like this in the pf.conf
>
> rdr pass inet proto tcp from any to 209.131.36.158 port 80 ->
> [internal address here] port 80
>
> now, I haven't made that internal address be an address on the local
> box yet, cause I'm testing to see how this works...
>
> I can manually telnet to [internal address here] port 80 with no
> problems and get the apache greeting.
>
> Once I turn on and load the pf.conf file (with pfctl -F all -f
> /etc/pf.conf), and I try to telnet to 209.131.36.158 port 80 (generic
> www.yahoo.com), I don't get redirected to the internal address port 80
> and get the apache greeting that is expected...
>
> I did turn on port forwarding as per the instructions for NAT,
> although it didn't say if it was needed for rdr.
>
> net.inet.ip.forwarding=1
>
> in netstat, I see it trying to actually reach the ouside IP, which it
> cant, so the translation didn't appear to take affect...
>
> am I missing something ?
>
Yes, I believe so.
rdr works only for incoming traffic. To redirect outgoing traffic
locally you
need to re-route the traffic using the route-to option.
Try these rules.
--
rdr pass on lo0 inet proto tcp from any to 209.131.36.158 port 80 ->
<internal address here> port 80
pass out log quick on lo0 no state
pass in log quick on lo0 no state
pass out quick on <outgoing if> route-to (lo0 <internal address here>)
inet proto tcp from any to 209.131.36.158 port 80 keep state
--
> Thanks,
>
> Tim.
>
>
> _______________________________________________
> freebsd-pf at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"
More information about the freebsd-pf
mailing list