Re: Replace PF rule + inetd Proxy with 2 PF rules

Fri, 14 Feb 2020 07:12:41 -0800 

Hi Fabio (xarĂ¡),
Apparently I achieved this with these rules:
--
pass out log on hvn0 inet proto tcp from any port 1024:65535 to 8.8.8.8
port = 3333 flags S/SA label "TESTE LISTA"
pass in on hvn0 inet proto tcp from any port 1024:65535 to 10.101.0.17 port
= 25 flags S/SA label "TESTE LISTA" tag TESTE rdr-to 8.8.8.8 port 3333
match out log quick on hvn0 inet all label "TESTE LISTA" tagged TESTE
nat-to 10.101.0.17
--
Of course there's room for improvement, be it simplify the rules or make it
more specific.
Maybe I needed three rules because I use "block log" as a default rule so:
"block in" and "block out" by default.
Here is the tcpdump output:
--
rule 0/(match) match in on hvn0: 10.101.0.24.47964 > 10.101.0.17.25: S
3824310731:3824310731(0) win 42340 <mss 1460,sackOK,timestamp 3963849164
0,nop,wscale 9> (DF)
rule 53/(match) match out on hvn0: 10.101.0.17.60331 > 8.8.8.8.3333: S
3824310731:3824310731(0) win 42340 <mss 1460,sackOK,timestamp 3862692560
0,nop,wscale 9>
rule 16/(match) pass out on hvn0: 10.101.0.17.60331 > 8.8.8.8.3333: S
3824310731:3824310731(0) win 42340 <mss 1460,sackOK,timestamp 3862692560
0,nop,wscale 9>
--
Regards,
Fabio Almeida

On Fri, Feb 14, 2020 at 8:33 AM Fabio Martins <
fm+obsd+misc+l...@phosphorusnetworks.com> wrote:

>
> Hi Nick,
>
> Thanks. I applied both rules below, unfortunately I am still only hitting
> rule number #1 (rdr-to). nat-to is never reached (added "log" on each to
> test). I tried inverting the order, too, but no luck.
>
> #1
> match in on $ext_if proto tcp from <spammers> to ($ext_if) port 25 \
> rdr-to 200.200.200.200 port 2222
>
> #2
> match out on $ext_if proto tcp to 200.200.200.200 port 2222 received-on \
> $ext_if nat-to ($ext_if)
>
> --
> Fabio Martins
>
> > Hi Fabio,
> >
> > I believe this will do what you want, seemed to work in quick testing
> > here, adjust to suit your environment.
> >
> >
> > match in on $ext_if proto tcp from <spammers> to ($ext_if) port 25
> > rdr-to 200.200.200.200 port 2222
> > match out on $ext_if proto tcp to 200.200.200.200 port 2222 received-on
> > $ext_if nat-to ($ext_if)
> >
>
>
>

Reply via email to