On Fri, Jan 31, 2014 at 4:02 AM, Pieter Verberne
<pieterverbe...@xs4all.nl> wrote:
> Hi there,
>
> When I use a client, which is behind a pf firewall, I use this redirect
> rule:
> pass in on $ext_if proto {tcp, udp} from any to any port 12345 rdr-to
> 10.1.2.3
>
> Now I have a client that is connected via a socks5 SSH tunnel to the pf
> firewall. Can I still have a pf redirect to this client?

I wrote code to do this for PF some time back based on work by Luca
Barbieri for the same functionality on Linux:
https://bugzilla.mindrot.org/show_bug.cgi?id=1295

I suspect the patch will have bitrotted since then.

The other gotcha is that it needed to be run as root to open the PF
device to look up the NAT states.  That could potentially be mitigated
by a setuid helper program, but from memory it needed write access for
the DIOCNATLOOK ioctl, so it'd still be potentially dangerous.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Reply via email to