On 2014-01-31, Darren Tucker <dtuc...@zip.com.au> wrote: > On Fri, Jan 31, 2014 at 4:02 AM, Pieter Verberne ><pieterverbe...@xs4all.nl> wrote: >> Hi there, >> >> When I use a client, which is behind a pf firewall, I use this redirect >> rule: >> pass in on $ext_if proto {tcp, udp} from any to any port 12345 rdr-to >> 10.1.2.3 >> >> Now I have a client that is connected via a socks5 SSH tunnel to the pf >> firewall. Can I still have a pf redirect to this client? > > I wrote code to do this for PF some time back based on work by Luca > Barbieri for the same functionality on Linux: > https://bugzilla.mindrot.org/show_bug.cgi?id=1295 > > I suspect the patch will have bitrotted since then. > > The other gotcha is that it needed to be run as root to open the PF > device to look up the NAT states. That could potentially be mitigated > by a setuid helper program, but from memory it needed write access for > the DIOCNATLOOK ioctl, so it'd still be potentially dangerous.
Rather than writing a helper running as root, you can change from using nat redirects (rdr-to) to using divert sockets (divert-to), then the proxy will receive unmodified packets and can just use getsockname(2) to retrieve the original address which does not require privileges. Same method will also work with FreeBSD ipfw.