pf redirect question

Nikos Vassiliadis nvass at teledomenet.gr
Wed Sep 26 06:13:36 PDT 2007 

Please CC me when replying to me, since I will
see your replies in no time. Otherwise your reply
might not be seen, since it ends up in another
directory in my maildir.

On Wednesday 26 September 2007 15:18, Jonathan Horne wrote:
> On Wednesday 26 September 2007 02:28:48 Nikos Vassiliadis wrote:
> > No, don't use the IP on your server. Why you should do such a thing?
>
> why not?  i did specify that the old server is decommissioning and would
> be permenantly downed.
>

Because the IP you will use on the host running FreeBSD and PF has
nothing to do with FreeBSD and PF. If you do this, you understand
that packets will be processed locally by FreeBSD's TCP/IP stack
and not forwarded to the new server, right?

You only want PF to alter the address from old server to new server
as I said previously. Not accept the packet as if destined for localhost!

> > You just have to make sure that packets ($old_server <-> $world)
> > are routed through your $pf box. I guess that's the case for you.
> > pf will just translate the destination address from $old_server
> > to $new_server.
>
> yes, any client or server would be able to route across the wan to the
> new ip at the other end.

Something like this:
client-a    client-b
     |        |  
( internet cloud )
     |
    (pf)--------(new-server)
     |
     |
(old-server)

> > BUT, which is this service you are talking about? Cause that's not
> > feasible with everything.
>
> ultimately, i want to route some Mcafee ePolicy clients to use another
> server. 

Yes, I know nothing about it. Is redirecting TCP port 8080 enough?

[snip]

> was my syntax in my example incorrect?

Yes, try removing the interface, just to be more general,
until you figure it out. Something like:
rdr inet proto tcp from any to x.x.x.x port = ssh -> y.y.y.y port 22

And use "pfctl -vsnat" to check the state of the rdr command, like this:
  [ Evaluations: 3434      Packets: 14        Bytes: 840         States: 0     ]

Be sure that every host involved is reachable from the pf box.

Nikos

More information about the freebsd-questions mailing list