On Wed, 20 Jun 2007, Jason Dixon wrote: > On Wed, 20 Jun 2007 12:00:18 +0200, RafaE Brodewicz <[EMAIL PROTECTED]> > wrote: > > Hello. > > I have machine with one interface pcn0 and ip 192.168.1.7 and I was > > trying to redirect outgoing traffic from it with no success. > > My pf rule: > > > > rdr on pcn0 inet proto tcp from pcn0 to 192.168.1.1 port 80 -> > > 192.168.1.10 > > > > When I do "telnet 192.168.1.1 80" it doesn't redirect traffic. > > What am I doing wrong? > > http://www.openbsd.org/faq/pf/rdr.html#reflect
Certainly interesting reading, but I don't think it addresses OP's question. As I understand it, the refers to an ethernet, no routing through a firewall being involved. 192.168.1.7 192.168.1.1 192.168.1.10 | | | ...-----+-------------------+-------------------+---------.... Host7 connects through its sole interface pcn0 to an ethernet. The OP has a rule which he believes will cause tcp packets for Host1:80 to be redirected to Host10:80. OP implies (and I infer) that the rdr rule given is his only pf rule. Clearly packets going from Host7 to anywhere else pass through interface pcn0. There is no interface to reflect from in the sense of the faq entry cited. I can duplicate OP's problem. This rule is slightly different. (his Host10 is my Host2, obviously) I have added "pass log". This is the ~entire~ contents of /etc/pf.conf rdr pass log on fxp0 inet proto tcp from fxp0 to 192.168.1.1 port 80 \ -> 192.168.1.2 port 8080 My OS is 4.1 STABLE, i386. Note that in my kernel, net.inet.ip.forwarding=0. Also note that this kernel was booted with "pf=NO" in /etc/rc.conf, so the extra stuff related to that switch in /etc/rc was not performed. Trial: [EMAIL PROTECTED] root 0:167]# telnet 192.168.1.1 80 Trying 192.168.1.1... telnet: connect to address 192.168.1.1: Connection refused This does not appear to be redirected. I would have expected to see this: [EMAIL PROTECTED] root 0:167]# telnet 192.168.1.1 80 Trying 192.168.1.2... telnet: connect to address 192.168.1.2: Connection refused (No daemons are listening on port 1:80 or 2:8080). Enabling forwarding changes nothing. (I didn't expect it to.) I have time and resources (throw-away boxes on the LAN) to experiment, but request guidance and clues. I have repeated the experiment with this pf.conf and forwarding enabled: (129... is www.openbsd.org) It also failed to redirect. ################################################################## rdr pass log inet proto tcp from any to 192.168.1.1 port 80 -> 129.128.5.191 port 80 pass log all ################################################################## A few years ago, I would have said to enable packet filtering in /etc/sysctl.conf, but that appears to be no longer switchable. A few trials with block filter rules shows pf to be "on". Dave