View Single Post
  #3   (View Single Post)  
Old 24th June 2008
halber_mensch's Avatar
halber_mensch halber_mensch is offline
Real Name: halber mensch
Port Guard
Join Date: Jun 2008
Location: Sapulpa, OK
Posts: 14

Are you testing from inside or outside your network? Be sure to read the relevant section of the pf documentation regarding redirection and reflection (

rdr on $ext_if proto tcp from any to $ext_if port 80 -> $server \
port 80

But when the redirection rule is tested from a client on the LAN, it doesn't work. The reason is that redirection rules apply only to packets that pass through the specified interface ($ext_if, the external interface, in the example). Connecting to the external address of the firewall from a host on the LAN, however, does not mean the packets will actually pass through its external interface. The TCP/IP stack on the firewall compares the destination address of incoming packets with its own addresses and aliases and detects connections to itself as soon as they have passed the internal interface. Such packets do not physically pass through the external interface, and the stack does not simulate such a passage in any way. Thus, PF never sees these packets on the external interface, and the redirection rule, specifying the external interface, does not apply.
perl -e "eval pack(q{H*}, join q{},qw{7072696e74207061636b28717b482a7d2c717b34393 23036333631366532303666366536633739323036313733373 33735366436353230373936663735323036353738373036353 63337343635363432303734363836393733323037343666323 03632363532303631323036633639373437343663363532303 66436663732363532303635366537343635373237343631363 93665363936653637326530617d293b})"
Reply With Quote