Hello.
I have a couple of hosts that I want to to use binat with. However, I would
like a daemon running locally on the pf machine to be accessible via a tcp port
on one of the external IP addresses. To phrase it another way, for one of the
external IP addresses, I want to steal away new connection traffic that is
inbound to a specific port and have it go to a daemon on the pf machine
directly -- except for that single port, I'd like the standard binat semantics.
This would need to be done statefully since if the binat host whose inbound
port I'm stealing sends a packet with a source port matching the port that I'm
stealing, that connection would still need to get properly translated.
However, I'm not sure how to do this. From reading pf.conf, it seems that the
binat rules are parsed first, so if I tried to use an rdr rule to catch and
redirect the traffic intended for the local daemon, the rule would never get
applied as intended.
I'm also not sure if a "no binat" rule could be used here to do what I want.
From the conf file grammar, it appears that there is no provision for supplying
a port number in a binat rule.
Is there a (reasonable) way to do what I'm asking?
Thanks.
