|
FreeBSD General Other questions regarding FreeBSD which do not fit in any of the categories below. |
|
Thread Tools | Display Modes |
|
||||
They are two separate actions. The 'rdr pass' rule allows connections to port 80 (in other words: no additional filter rules are involved or consulted) and triggers the redirection (translation), the second 'pass out' rule concerns the subsequent 'new' translated connection, caused by the redirection. Sure, it feels like you're doing the same thing twice, but to pf, these are two entirely separate entitities which need their own rules.
|
|
|||
This behaviour is clearly documented in the pf man page
Code:
TRANSLATION Translation rules modify either the source or destination address of the packets associated with a stateful connection. A stateful connection is automatically created to track packets matching such a rule as long as they are not blocked by the filtering section of pf.conf. The transla- tion engine modifies the specified address and/or port in the packet, re- calculates IP, TCP and UDP checksums as necessary, and passes it to the packet filter for evaluation. Since translation occurs before filtering the filter engine will see packets as they look after any addresses and ports have been translated. Filter rules will therefore have to filter based on the translated ad- dress and port number. Packets that match a translation rule are only automatically passed if the pass modifier is given, otherwise they are still subject to block and pass rules. The state entry created permits pf(4) to keep track of the original ad- dress for traffic associated with that state and correctly direct return traffic for that connection.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
external drive partition question + fdisk question | gosha | OpenBSD General | 15 | 15th June 2009 02:00 PM |