|
|||
Tricky inbound redirect with pf
How would you go about writing rules for pf to redirect inbound traffic on a host A to another host B while keeping the original source IP? (Host A will then be the gateway for the response from B to make the traffic return the same way it came in.)
|
|
|||
In my toy example there are three hosts:
The below rule will redirect properly, but the response is dropped by the client. I'm not sure how to make the router (192.168.0.1) change the source IP on the response with pf so that it looks like it's coming from 192.168.0.1 instead of 192.168.0.2. It's important that the server sees the client IP. Code:
pass in proto tcp from any to 192.168.0.1 port 443 rdr-to 192.168.0.2 |
|
|||
Quote:
I followed your advice, and with the same pf rule - with just the target IP changed, since I put the server on another subnet - it works as I had hoped. Thank you jggimi. |
|
|||
Here is a follow-up question. I have a network like the one below.
Code:
.-----------------. [Network A] ' ' / Internet - [VPN] - [Router] \ [Network B] The behavior I'm looking for is, regarding traffic from the server; if the destination is not in network B (local clients), then block the traffic from using the default gateway and force it out through the VPN which is the same way it came in. I don't know how to do that. Pointers? (Local clients on network B can work with server(s) on network A without issues.) |
|
|||
Forgot to mention that the server needs the client IP, which rules out the NAT solution.
Below is a rule that I have tried; the return traffic never shows up on enc0. Code:
pass in log on enc0 proto tcp from any to $router port $port \ rdr-to $server port $port reply-to enc0 |
|
|||
Setting up a matching flow works for external access to the server. Local access from other internal networks is gone, but I can probably rewrite the flows or create bypass rules. I would much rather try to keep the entire setup within /etc/pf.conf though.
From enc(4): Quote:
|
|
|||
The way I solved it is that I set up a bypass rule in /etc/ipsec.conf:
Code:
flow esp out from $server to $networkb type bypass Thanks for the pointer to the enc(4) man page. I think I have an expectation that the man pages are not that informative (coming from other operating systems), but I'm really very pleasantly surprised by the information I can find in them. Last edited by wbe; 15th February 2019 at 01:35 PM. |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Redirect kernel messages to another vt? | darktrym | NetBSD General | 2 | 16th October 2016 11:52 AM |
Cannot redirect oidentd port 113 to jail | bryn1u | FreeBSD General | 2 | 21st June 2014 01:32 PM |
redirect outgoing http | petter | OpenBSD Security | 8 | 25th March 2013 04:56 PM |
VNC and sound redirect | DNAeon | FreeBSD Ports and Packages | 2 | 16th September 2009 07:52 PM |
Tricky Partition Issues | disappearedng | FreeBSD General | 6 | 7th July 2008 11:22 PM |