On Fri, Jan 31, 2014 at 4:02 AM, Pieter Verberne
<pieterverbe...@xs4all.nl> wrote:
> Hi there,
>
> When I use a client, which is behind a pf firewall, I use this redirect
> rule:
> pass in on $ext_if proto {tcp, udp} from any to any port 12345 rdr-to
> 10.1.2.3
>
> Now I have a client that is connected via a socks5 SSH tunnel to the pf
> firewall. Can I still have a pf redirect to this client?I wrote code to do this for PF some time back based on work by Luca Barbieri for the same functionality on Linux: https://bugzilla.mindrot.org/show_bug.cgi?id=1295 I suspect the patch will have bitrotted since then. The other gotcha is that it needed to be run as root to open the PF device to look up the NAT states. That could potentially be mitigated by a setuid helper program, but from memory it needed write access for the DIOCNATLOOK ioctl, so it'd still be potentially dangerous. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
