Re: rdr outgoing traffic

Wed, 20 Jun 2007 18:55:52 -0700 

On Wed, 20 Jun 2007, Jason Dixon wrote:

> On Wed, 20 Jun 2007 12:00:18 +0200, RafaE Brodewicz <[EMAIL PROTECTED]> 
> wrote:
> > Hello.
> > I have machine with one interface pcn0 and ip 192.168.1.7 and I was
> > trying to redirect outgoing traffic from it with no success.
> > My pf rule:
> > 
> > rdr on pcn0 inet proto tcp from pcn0 to 192.168.1.1 port 80 ->
> > 192.168.1.10
> > 
> > When I do "telnet 192.168.1.1 80" it doesn't redirect traffic.
> > What am I doing wrong?
> 
> http://www.openbsd.org/faq/pf/rdr.html#reflect

Certainly interesting reading, but I don't think it addresses OP's
question.

As I understand it, the refers to an ethernet, no routing through
a firewall being involved.

   192.168.1.7         192.168.1.1         192.168.1.10
         |                   |                   |
 ...-----+-------------------+-------------------+---------....

Host7 connects through its sole interface pcn0 to an ethernet.  The
OP has a rule which he believes will cause tcp packets for Host1:80
to be redirected to Host10:80.  OP implies (and I infer) that the
rdr rule given is his only pf rule.

Clearly packets going from Host7 to anywhere else pass through
interface pcn0.  There is no interface to reflect from in the sense
of the faq entry cited.

I can duplicate OP's problem.  This rule is slightly different.
(his Host10 is my Host2, obviously)  I have added "pass log".
This is the ~entire~ contents of /etc/pf.conf

rdr pass log on fxp0 inet proto tcp from fxp0 to 192.168.1.1 port 80 \
        -> 192.168.1.2 port 8080

My OS is 4.1 STABLE, i386.  Note that in my kernel,
net.inet.ip.forwarding=0. 

Also note that this kernel was booted with "pf=NO" in /etc/rc.conf,
so the extra stuff related to that switch in /etc/rc was not performed.

Trial:

[EMAIL PROTECTED] root 0:167]# telnet 192.168.1.1 80
Trying 192.168.1.1...
telnet: connect to address 192.168.1.1: Connection refused

This does not appear to be redirected.  I would have expected
to see this:
[EMAIL PROTECTED] root 0:167]# telnet 192.168.1.1 80
Trying 192.168.1.2...
telnet: connect to address 192.168.1.2: Connection refused

(No daemons are listening on port 1:80 or 2:8080).

Enabling forwarding changes nothing. (I didn't expect it to.)

I have time and resources (throw-away boxes on the LAN) to experiment,
but request guidance and clues.

I have repeated the experiment with this pf.conf and forwarding
enabled: (129... is www.openbsd.org)  It also failed to redirect.

##################################################################
rdr pass log inet proto tcp from any to 192.168.1.1 port 80 -> 
        129.128.5.191 port 80

pass log all
##################################################################

A few years ago, I would have said to enable packet filtering in
/etc/sysctl.conf, but that appears to be no longer switchable.
A few trials with block filter rules shows pf to be "on".

Dave

Reply via email to