On 2/14/2020 6:30 AM, Fabio Martins wrote:
Hi Nick,
Thanks. I applied both rules below, unfortunately I am still only hitting
rule number #1 (rdr-to). nat-to is never reached (added "log" on each to
test). I tried inverting the order, too, but no luck.
#1
match in on $ext_if proto tcp from <spammers> to ($ext_if) port 25 \
rdr-to 200.200.200.200 port 2222
#2
match out on $ext_if proto tcp to 200.200.200.200 port 2222 received-on \
$ext_if nat-to ($ext_if)
--
Fabio Martins
Odd, are you allowing the traffic with an appropriate pass rule later?
I use tagging for rules related to rdr and nat to keep things simple,
here is the full working setup I used to bounce port 8099 on the
external interface to www.openbsd.org port 80.
#Fun reverse redirection of www.openbsd.org
match in on $ext_if proto tcp from any to ($ext_if) port 8099 tag RDR
rdr-to 129.128.5.194 port 80
match out on $ext_if proto tcp to 129.128.5.194 port 80 received-on
$ext_if nat-to $ext_if
#block all to start
block log all
pass quick tagged RDR
pass out on $ext_if
Make sure you are testing from an external host of course.
