[This is a reposted message, originally sent to misc and tech, but pf should be the best place]
Hi, I'd like to suggest an improvement to the pf functionalities. I have the same problem as explained in the freebsd-pf mailing list [1]. Is it possible to implement destination port rewriting for *any* destination ? "rdr on $int proto tcp from any to any port 23801 -> any port 25" The case which matters is the following: In a private lan, there is 40 MTA which are sending some emails. Between these servers and destination SMTP servers (potentially any SMTP server over internet), we have OpenBSD gateways with multiple public IPs (250 for example). The goal is to have <MTAx> connect to a remote SMTP server with a programmatically selected route. The idea is to ask the MTA to reach the remote SMTP server on a defined port, let's say 23801. So we have a connection from <MTA1> going to yahoo's MX on port 23801 through the OpenBSD gateway. I imagined a couple of rules to rewrite the destination port like this: in pf: rdr pass on $lan_if inet proto tcp from $lan_net to any port 23801 tag OUT_PUB_001 -> any port 25 nat on $ext_if from $lan_net to and any port 25 tagged OUT_PUB_001 -> $public_ip_001 rdr pass on $lan_if inet proto tcp from $lan_net to any port 23802 tag OUT_PUB_002 -> any port 25 nat on $ext_if from $lan_net to and any port 25 tagged OUT_PUB_002 -> $public_ip_002 in english: Connection at destination of 23801 rewrited to destination 25 (and tags the connection as well) using a RDR and in a second step, with the tag, NAT this connection to a determined public IP #1 and Connection at destination of 23802 rewrited to destination 25 (and tags the connection as well) using a RDR and in a second step, with the tag, NAT this connection to a determined public IP #2. Thus we would obtain something like: MTA1 (connection to yahoo-mx:23801) -> gateway (rewrite 23801 to 25 and source NAT with the first public IP) -> yahoo-mx:25 and MTA32 (connection to yahoo-mx:23802) -> gateway (rewrite 23802 to 25 and source NAT with the SECOND public IP) -> yahoo-mx:25 Currently the trick used is to assign multiple internal IPs to MTA and set them bind themselves to given IPs and in the pf.conf we have a NAT rule for each internal IP. It's not really scalable because for 40 MTAs and 250 public IPs, we have to set up 250 IPs on each MTA and insert 10000 rules inside the pf.conf Regards, Damien [1] http://kerneltrap.org/mailarchive/freebsd-pf/2008/5/8/1766534/thread
