[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pf rdr on requests originating from firewall box itself

On Sat, Jun 14, 2003 at 04:52:26PM -0400, Michael Purcaro wrote:
> Telnet can never connect. Doing the same thing on a computer in the internal
> network works fine. Of course, using the internal IP also works perfectly. I
> have played a bit with additional rdr rules in pf.conf, but I haven't found
> the right one yet. I guess it is an issue with my pf.conf rules and the way
> things are ordered on the TCP stack (and the interface being used)?  Any
> hints would be greatly appreciated! :)
This is not currently possible. A rdr rule only applies to packets
coming in through an interface. A connection originating from the
firewall itself does not come in through any interface, it only leaves
through one. And rdr only applies to incoming connections. If you manage
to route the connection through loopback, you might have a chance to
translate the destination there, but I've never tried.
pf only supports translating source addresses of outgoing connections
and destination addresses of incoming connections. Those are the two
most commonly used. Of course it could also offer the other two
(translate destination on outgoing, source on incoming). But the way the
translations are implemented you can have at most one translation per
state entry. Theoretically, one could translate both source and
destination addresses in a single state entry, in any direction. It's
just not implemented, as it's rarely used. And it would require
structural changes at the core (state table keys), so it's not just
adding two lines of code.
In the worst case, you have to add another host in front of the first
one, which does rdr on its internal interface (where the connections do
arrive in through). Or move the service whose connections you want to
redirect from the firewall to another internal host. Shouldn't be
running services on a firewall anyway :)