I completely understand what you're doing there, but that isn't what I'm
trying to do. Perhaps I'll give you a simple scenario that shows how to
make my needs easier to understand.
My home network is 192.168.1.0/24. A host on my network is
192.168.1.10. There is NO host at 192.168.1.200.
I want to be able to rewrite any traffic send to 192.168.1.200 to
actually go to 192.168.1.10.
iptables -A OUTPUT -t nat -d 192.168.1.200 -j DNAT --to 192.168.1.10
Voila, like magic, the packets are rewritten. I can ping 192.168.1.200
even though it doesnt exist! My computer is completely fooled into
thinking it does, because iptables rewrites transparently.
This is what I want to do with pf. Only I'm rewriting external REAL world
addresses to internal addresses for a development environment under very
specific conditions where split horizon DNS doesn't fit the requirements
(Because it's always on. Separate DNS servers and host file changes are
too intrusive so they aren't viable either.)
I'm doing this by running a proxy on the box where the firewall is.
Access the proxy and your traffic is rewritten to this specific dev
environment. This works on a Linux box, but I'd like to move the
operation to a BSD box with pf.
Do you understand the issue a little better now? It's a hack, I'll
admit, but it works in iptables and why pf doesn't seem to offer this
functionality is confusing. Or maybe I'm going about it wrong and it
*is* possible. I'm not sure yet. That's why I'm emailing here :)
Mark
On Wed, Apr 16, 2008 at 09:42:34PM -0500, Peques wrote:
> Have you tried?
>
> webserver = "192.168.2.7"
> webports = "{ http, https }"
> emailserver = "192.168.2.5"
> email = "{ smtp, pop3, imap, imap3, imaps, pop3s }"
> rdr on $ext_if proto tcp from any to $ext_if port $webports -> $webserver
> rdr on $ext_if proto tcp from any to $ext_if port $email -> $emailserver
> pass proto tcp from any to $webserver port $webports synproxy state
> pass proto tcp from any to $emailserver port $email synproxy state
> pass proto tcp from $emailserver to any port smtp synproxy state
>
> or can you probe
>
> lan= "10.10.10.10/24"
> lan2= "192.168.0.0/24"
> rdr on $ext_if proto {tcp,udp} from $lan1 to $lan2
>
> See you
