On 2014-01-31, Darren Tucker <dtuc...@zip.com.au> wrote:
> On Fri, Jan 31, 2014 at 4:02 AM, Pieter Verberne
><pieterverbe...@xs4all.nl> wrote:
>> Hi there,
>>
>> When I use a client, which is behind a pf firewall, I use this redirect
>> rule:
>> pass in on $ext_if proto {tcp, udp} from any to any port 12345 rdr-to
>> 10.1.2.3
>>
>> Now I have a client that is connected via a socks5 SSH tunnel to the pf
>> firewall. Can I still have a pf redirect to this client?
>
> I wrote code to do this for PF some time back based on work by Luca
> Barbieri for the same functionality on Linux:
> https://bugzilla.mindrot.org/show_bug.cgi?id=1295
>
> I suspect the patch will have bitrotted since then.
>
> The other gotcha is that it needed to be run as root to open the PF
> device to look up the NAT states. That could potentially be mitigated
> by a setuid helper program, but from memory it needed write access for
> the DIOCNATLOOK ioctl, so it'd still be potentially dangerous.
Rather than writing a helper running as root, you can change from using
nat redirects (rdr-to) to using divert sockets (divert-to), then the proxy
will receive unmodified packets and can just use getsockname(2) to retrieve
the original address which does not require privileges.
Same method will also work with FreeBSD ipfw.
