Hi,
I am trying to redirect + NAT incoming packets without the need of a TCP Proxy. Currently I have the following setup to redirect hosts abusing SMTP to an email trap: inetd listening in 127.0.0.1:8000 and redirecting to an external host # inetd.conf 127.0.0.1:8000 stream tcp nowait _inetd_proxy /usr/bin/nc nc -w 20 200.200.200.200 2222 and <table> + pf rule redirecting the hosts: # pf.conf table <spammers> persist file "/etc/pf/tables/spammers.txt pass in log on egress proto tcp from <spammers> to any port 25 \ rdr-to 127.0.0.1 port 8000 I am trying to remove the inetd from the setup. With Linux iptables I would do a DNAT + MASQUERADE, but with PF I already tried: # pf.conf #1 pass in log on xnf0 proto tcp from <spammers> to any port 2222 nat-to xnf0 #2 pass in log on egress proto tcp from <spammers> to any port 25 \ rdr-to 200.200.200.200 port 2222 Rule #2 is correctly applied and changes the destination address to 200.200.200.200, but rule #1 (NAT) isnt applied. I believe it is possible to NAT an external connection without using a TCP Proxy. Tried also the example from here: https://www.openbsd.org/faq/pf/rdr.html pass in on $int_if proto tcp from $int_net to egress port 80 rdr-to $server pass out on $int_if proto tcp to $server port 80 received-on $int_if nat-to $int_if Without success. Thanks! -- Fabio Martins
