> What I'd like to see is a real virtual machine designed for
> packet filtering (similar to BPF), and we compile the rules
> into VM instructions,
You've been using that Israeli firewall product again, what was it called
again, Crackpoint ? :-)
Greg
___
Hmm, gosh, I don't really know without trying. I think so, it should
be like any other incoming packet as it arrives on the lo0 interface.
Try it and let us know!
You could also use route-to, or a static route, rather than an if
alias, to get it to go to lo0, I think.
So, didnt worked on lo0
On 7/15/06, Christian Meutes <[EMAIL PROTECTED]> wrote:
Then would it be possible to bind the IP to lo0 as an alias, connect to
this IP
and then let the rule rewrite the destination to a other one which lies
on fxp0
directly?
Hmm, gosh, I don't really know without trying. I think so, it should
You cannot DNAT in outbound, nor can you SNAT on inbound. I have been
asking for the symmetric cases on the OpenBSD pf list, and it's on my
"to do one day" list, but I have no idea when that will become the top
priority (maybe never).
As I understand it, this limitation has to do with the way
On 7/15/06, Nejc Skoberne <[EMAIL PROTECTED]> wrote:
request is E.F.G.H, the source address of DNS reply is A.B.C.D! That is why
route-to rule doesn't
work any more. If I remember correctly, this is due to the fact, that UDP is
connectionless protocol
and the DNS server doesn't have to bind to
Hello,
I changed the pf.conf a little, so it fits to my needs (I also need multihoming
for a server
which is reachable via forwarded port). So TCP and ICMP work correctly now.
However, I still
have problems with UDP services.
For example, I also run a DNS server on this FreeBSD server. If I try
On 7/15/06, Christian Meutes <[EMAIL PROTECTED]> wrote:
I have used a simple RDR rule for accomplishing this:
"rdr pass on fxp0 proto tcp from $server_ip to 1.1.1.1 port 25 -> 2.2.2.2
... but without any success.
When tcpdumping on fxp0 to check what is happening, I recognized that
the packets ar
On 7/14/06, Paul Schenkeveld <[EMAIL PROTECTED]> wrote:
I'd prefer to have PF_DEFAULT_BLOCK analogous to IPFILTER_DEFAULT_BLOCK
instead of some magic script closing the hole between driver init and
configuration. Always wondered how the OpenBSD -securety minded- people
have come up with a packet
Hello list,
iam trying to redirect traffic which is locally generated on a server to
a different IP address.
PF is running on the server and there is no way to change this.
So for example if the server wants to deliver a mail via SMTP to 1.1.1.1
then PF should
rewrite 1.1.1.1 to 2.2.2.2, keep-
