PF How to use rdr syntax in one string without word "pass"?

Hi, please help me.
I want redirect port from Internet to local host on external interface:
So, enable nat-redirect:
Code:
....
rdr on $if_ext proto tcp from any port >= 1024 to $if_ext port 993 -> $lan_host
....
and create rule on external interface:
Code:
....
pass in on $if_ext proto tcp from any port >= 1024 to $if_ext port 993 keep state
....
and create rule on internal interface for outgoing packets from internet to local host:
Code:
...
pass out on $if_int proto tcp from any port >= 1024 to $lan_host port 993 keep state
...
This do not work, but with word "pass" in string - work fine!
Code:
....
rdr pass on $if_ext proto tcp from any port >= 1024 to $if_ext port 993 -> $lan_host
....
Please help, where error in string syntax for internal or external interfaces?
 
rdr works only with word "pass" in string:
Code:
rdr pass on $if_ext proto tcp from any port >= 1024 to $if_ext port 993 -> $lan_host
????
 
I want redirect port from Internet to local host on external interface:
So, enable nat-redirect:
Code:
....
rdr on $if_ext proto tcp from any port >= 1024 to $if_ext port 993 -> $lan_host
....
and create rule on external interface:
Code:
....
pass in on $if_ext proto tcp from any port >= 1024 to $if_ext port 993 keep state
....
This do not work, but with word "pass" in string - work fine!
Filter rules get to see the traffic after any translations have been applied, so your filter rules need to match on the translated address, like so:
Code:
pass in on $if_ext proto tcp from port >= 1024 to $lan_host port 993
 
The source port of a connection is usually greater or equal than 1024 but there are still some protocols that use a privileged source port, NTP is one of them. It's kind of academic if the source port restriction actually provides any better security because someone could just as well be sourcing an IMAP tcp connection from a privileged port and that doesn't prove that the connecting host is compromised. I would just use:

Code:
pass in on $if_ext proto tcp from any to $lan_host port 993

A matter of taste but I would use this type of construct for linking the rdr and the pass rules

Code:
rdr on $if_ext proto tcp from any to $if_ext port 993 -> $lan_host tag rdr_imap

...

pass in on $if_ext tagged rdr_imap

I hope I remembered the details right but the tagging saves you from repeating much of the details in the pass rule.
 
Back
Top