sysctl net.inet.ip.forwarding=1
On 2011-04-08, rancor <theran...@gmail.com> wrote:
> Thanks of your reply. It does still not work. I can't see any data
> leaving the mirror to the server.
>
> Nothing is blocked in pflog0 and tcpdump does not show any connections
> to 74.125.43.99
>
> This is my pf.conf
>
> ---- [snipp]----
> # Macro
> admin= "{ xxx xxx }"
>
> ext_if= "{ vic0 }"
> client= "{ 10.10.15.30 }"
> mirror= "{ 10.40.20.5 }"
> server= "{ 74.125.43.99 }"
>
> # Rules
> block in log
> pass quick on lo0
> pass out keep state
>
> pass in from $client to $mirror rdr-to $server tag mirrored
> pass out tagged mirrored nat-to $mirror
>
> block in log inet proto icmp to self icmp-type redir
> pass in inet proto icmp from $admin to self
>
> pass in proto tcp from $admin to self port ssh
> ---- [/snipp]----
>
> 74.125.43.99 is a ordinary Google server for search that I'm using for my
> test.
>
> I'm trying to use http and targeting mirror from a browser. I should
> see outgoing connections from mirror to server but there is only data
> between client and mirror.
>
> This is a short tcpdump of a http request
>
> # tcpdump -n not port ssh
> tcpdump: listening on vic0, link-type EN10MB
> 10:49:09.509062 10.10.15.30.44142 > 10.40.20.5.80: S
> 341929812:341929812(0) win 64240 <mss 1380,sackOK,timestamp 83797170
> 0,nop,wscale 3> [tos 0x88]
> 10:49:16.307710 10.10.15.30.44142 > 10.40.20.5.80: S
> 341929812:341929812(0) win 64240 <mss 1380,sackOK,timestamp 83797770
> 0,nop,wscale 3> [tos 0x88]
> 10:49:28.269764 10.10.15.30.43624 > 10.40.20.5.80: S
> 677212245:677212245(0) win 64240 <mss 1380,sackOK,timestamp 83799022
> 0,nop,wscale 3> [tos 0x88]
> 10:49:31.003629 10.10.15.30.43624 > 10.40.20.5.80: S
> 677212245:677212245(0) win 64240 <mss 1380,sackOK,timestamp 83799322
> 0,nop,wscale 3> [tos 0x88]
>
> There is nothing that are blocked in plflog0 at the same time
>
> This is the running pf rules
> # pfctl -srules
> block drop in log all
> pass quick on lo0 all flags S/SA keep state
> pass out all flags S/SA keep state
> pass in inet from 10.10.15.30 to 10.40.20.5 flags S/SA keep state tag
> mirrored rdr-to 74.125.43.99
> pass out inet all flags S/SA keep state tagged mirrored nat-to 10.40.20.5
> block drop in log inet proto icmp from any to 127.0.0.1 icmp-type redir
> block drop in log inet proto icmp from any to 10.40.20.5 icmp-type redir
> pass in inet proto icmp from xx to 127.0.0.1 keep state
> pass in inet proto icmp from xx to 10.40.20.5 keep state
> pass in inet proto icmp from xx to 127.0.0.1 keep state
> pass in inet proto icmp from xx to 10.40.20.5 keep state
> pass in inet proto tcp from xx to 127.0.0.1 port = ssh flags S/SA keep state
> pass in inet proto tcp from xx to 10.40.20.5 port = ssh flags S/SA keep state
> pass in inet proto tcp from xx to 127.0.0.1 port = ssh flags S/SA keep state
> pass in inet proto tcp fromxx to 10.40.20.5 port = ssh flags S/SA keep state
>
> Thanks for trying helping me.
>
> Best regards
>
>
>
>
>
> 2011/4/8 Stuart Henderson <s...@spacehopper.org>:
>> On 2011-04-07, rancor <theran...@gmail.com> wrote:
>>> I want to reflect all IP from a client to a server via another machine
>>> called mirror. client and server can't access each other and there is
>>> nothing I can do about that. How ever the mirror can access both
>>> client and server so I want all traffic from client to mirror be
>>> reflected to server and all responses from the server should be
>>> reflected back to the client via the mirror.
>>
>> this is probably the simplest way:
>>
>> pass in from $client to $mirror rdr-to $server tag mirrored
>> pass out tagged mirrored nat-to $mirror
>>
>> if someone has time to write this up for www/faq/pf/rdr.html,
>> please send me a diff.
>>
>> also related: binat-to (*without* setting the interface) also
>> happens to put rules in place which allow you to connect from a
>> client in the same subnet as the server. (credit to phessler for
>> this tip).
