On Mon, Mar 21, 2011 at 02:45:35PM +0100, Henning Brauer wrote: > * jirib <ji...@devio.us> [2011-03-21 09:55]: > > On Sat, 19 Mar 2011 21:28:09 +0100 > > Henning Brauer <lists-open...@bsws.de> wrote: > > > > it was working for me - rdr-to outbound to a daemon on the firewall > > > > itself, but I deleted that virtual machine... > > > > rdr-to is usually applied inbound. If applied > > > > outbound, rdr-to to a local IP address is not supported. > > > > I would put my hand in fire -- it was working :) I read the manpage > > > > but I don't get it, how could it work then? > > > pretty certain it could not have worked. the rdr-to in this case is > > > too late and the local/remote decision already taken. > > I understand I'm becoming annoying but it worked, but maybe I was on > > drugs... Unfortunatelly no evidence in hand now :) I tested like this: > > might have run into a case where it works out of coincidence. I am not > going to track this down for you now. > > > Any idea how to redirect outgoing traffic to local port? > > Would this be hard to add such funcionality into PF? (I don't like > > such comparisons but it can be done on other OS.) > > it is not a pf matter, it is in the stack and not feasible. no > interest here. >
The problem is that the states created by an outgoing remote rdr-to local rule will cause untranslated traffic to go out of the firewall (e.g. with 127.0.0.1 as source IP). So this does not work. While outgoing local rdr-to local is not affected by this (because all traffic is routed via lo0 and so the state find each other again). In the end there is no outgoing rdr-to rule that could not be changed to a incomming rdr-to rule for remote/external traffic passing through a FW. -- :wq Claudio
