The pf user's guide mentions redirection primarily for incoming
traffic.... but tonight I had an unusual situation to deal with where an
unknown client somewhere on a 150 square mile wireless LAN was infected
with Welchia.
I played with rdr to force this person's outbound http requests to all
go to a sandbox web server that I setup with some patches and a cleaner.
What would have been even nicer is if I could have intercepted all http
requests to my sandbox that tells them they are infected, but still
allow them to go directly to windowsupdate.microsoft.com, symantec.com
etc. for the fixes.
From what I see there's no way to do something like:
rdr proto tcp from 10.2.3.4 to any except 81.52.249.73 \
port 80 -> 192.168.1.2
Alternatively, I could try doing this at the DNS level and on my sandbox
DNS server, wildcard everything in ".", but create the few zones with
real records that I want the client to reach.
Or maybe my sandbox could link to http://windowsupdate.microsoft.com:81
and I can rdr that to port 80 on the real host?
Are there any better ideas I'm missing here?
Mike
- Re: Using rdr to (partially) sandbox infected clients Mike Lewinski
