rdr pass rules with divert

D

dcole

Hello,

When using a rdr pass rile, what order is this happening? Do i apply the filter first, then the redirect? Can i use the divert-to pass rule with the redirect?
 
The pf.conf should be order like this:

Macros
Tables
Options
Traffic Normalization
Queueing
Translation
Packet Filtering

The translation (redirect) happens before the packet runs through the filter engine. You should write the redirect rules before the filter rules. Then you should write a filter rule which let the packet pass.

There is one exception. If you write a Translation rule like this:

Code: 
rdr pass on t10 proto tcp from any to $WebServer port 80

The keyword pass will redirect packets statefully trough the filter engine. Hope this will help you. You can find this information in the manual.

I don't really understand what you mean with
divert-to
Click to expand...
 
What I mean is that pf.conf lists a divert-to and divert-reply functionality. I have been able to use a raw socket to listen to traffic that is not specifically addressed to me with the divert-to, and reinject it in the stream. The problem is if I run the redirect before I run the divert, the destination address will be wrong.
 
Ok. Didn't use this option so far. But you should be aware when you do an redirect. The packet will be changed. So the filter will see the changed packet.

Example:
Code: 
rdr on em0 proto tcp from 179.28.30.140 to 80.37.120.54 port 80 -> 192.168.1.30 port 8080

Before translation the packet looks like this:

  • Source address: 80.37.120.54
  • Source port: 5045
  • Destination address: 80.37.120.54
  • Destination port: 80

After translation:
  • Source address: 80.37.120.54
  • Source port: 5045
  • Destination address: 192.168.1.30
  • Destination port: 8080

The Filter will see the changed packet. So your rule must match the changed packet.
Hope this helps.
 
You must log in or register to reply here.
Back
Top