hello everybody!
Recently i saw this trick on
http://www.tedunangst.com/flak/post/turn-your-network-inside-out-with-one-pfconf-trick
I decided it was a great idea, and tried to add this rule to my
firewall, but it doesn't work.
Look, I placed this line immediately after nat-to rule
#Enable NAT
pass out on $ext_if inet from $lan_net to any nat-to $ext_if keep state
(pflow)
#ntp and domain redirection
pass in on $int_if proto {tcp,udp} from !192.168.2.65 to any port
{domain,ntp} rdr-to lo
So it expand to this rules:
pass in on em1 inet proto tcp from ! 192.168.2.65 to any port = 53 flags
S/SA rdr-to 127.0.0.1
pass in on em1 inet proto tcp from ! 192.168.2.65 to any port = 123
flags S/SA rdr-to 127.0.0.1
pass in on em1 inet proto udp from ! 192.168.2.65 to any port = 53
rdr-to 127.0.0.1
pass in on em1 inet proto udp from ! 192.168.2.65 to any port = 123
rdr-to 127.0.0.1
192.168.2.65 is my local domain and ntp server, it must be able to
access world to work properly.
em1 is my LAN interface
Anyway this rule doesn't work and i don't know why :(
$ doas tcpdump -i em1 port ntp
tcpdump: listening on em1, link-type EN10MB
11:07:35.594706 192.168.3.119.4662 > clock.via.net.ntp: v1 client strat
0 poll 0 prec 0
11:07:35.594804 clock.via.net.ntp > 192.168.3.119.4662: v1 server strat
2 poll 0 prec -6 [tos 0x10]
11:07:40.131132 192.168.2.75.45003 > mail.sonur.ru.ntp: v4 client strat
0 poll 0 prec 0 (DF)
11:07:40.136985 mail.sonur.ru.ntp > 192.168.2.75.45003: v4 server strat
2 poll 0 prec -6 [tos 0x10]