Hello whistlez,
whistlez...@riseup.net (whistlez), 2024.06.20 (Thu) 02:49 (CEST):
> I have sslsplit listening on 127.0.0.1 port 10443 and I want redirect
> all my outgoing desktop web traffic to sslsplit, then localhost port
> 10443. SSLSPLIT is just a kind of transparent proxy but cannot be used
> as a conventional proxy (set up on the browser config). Reading the
> pf.conf man seems that there isn't a way to do that.
is the sslsplit transparent proxy running on the same machine on which
your web browsing happens? If the answer is yes, then PF simple rdr-to
will not work. The PF examples in sslsplit(1) clearly assume running on
the firewall. From cursory reading I'd play around with veb(4) if I were
you. Your locally generated traffic will only be outbound on your local
network interface and therefore rdr-to will not help. You need to find a
way to send the trafic on a detour over a virtual network interface,
where the traffic is inbound and can be rdr-to'ed.
If the answer is "no" and sslsplit transparent proxy is running on your
firewall, then just filter and redirect on the inbound interface, as the
examples in sslsplit(1) say.
Marcus
> For example rdr-to does not support redirection to localhost.
> man:
> rdr-to is usually applied inbound. If applied outbound, rdr-to to a
> local IP address is not supported.
> Divert-to does not support outgoing traffic ("pass out" or "match out").
> Also I tried to make an IF alias like this
> ifconfig em0 inet 192.168.0.6 255.255.255.0
> ifconfig em0 inet alias 192.168.0.7 255.255.255.0
> my gw is 192.168.0.1
> I put listening the sslsplit on 192.168.0.7 (the alias) port 10443 and I
> make a pf rule like this:
> pass out log on em0 proto tcp from 192.168.0.6 to port 443 rdr-to
> 192.168.0.7 port 10443
> pass out log on em0 proto tcp from 192.168.0.6 to port 80 rdr-to
> 192.168.0.7 port 10080
> even this does not work... I suspect that even 192.168.0.7 is local ip.
> Any help ?
