RDR rule problem

V

Virus_2

I am trying to change the route on a redirected package with no success, here are my lines on pf.conf
Code: 
rdr on rl1 proto tcp from any to 192.168.250.21 port 8081 -> 192.168.35.123
pass out on rl1 route-to (rl1 192.168.250.31) from any to any keep state
Here is the pf documentation mentioning that the pass out route must aply to my configuration.
Code: 
Redirection and Packet Filtering
NOTE: Translated packets must still pass through the filter engine and will be blocked or passed based 
on the filter rules that have been defined. 
The only exception to this rule is when the pass keyword is used within the rdr rule. In this case, the 
redirected packets will pass statefully right through the filtering engine: the filter rules won't be 
evaluated against these packets.


That is that I am doing wrong ?
 
Virus_2 said:
i am trying to change the route on a redirected package with no success

here is my lines on pf.conf

rdr on rl1 proto tcp from any to 192.168.250.21 port 8081 -> 192.168.35.123
pass out on rl1 route-to (rl1 192.168.250.31) from any to any keep state

here is the pf documentation mentioning that the pass out route must aply to my configuration.

Redirection and Packet Filtering
NOTE: Translated packets must still pass through the filter engine and will be blocked or passed based
on the filter rules that have been defined.
The only exception to this rule is when the pass keyword is used within the rdr rule. In this case, the
redirected packets will pass statefully right through the filtering engine: the filter rules won't be
evaluated against these packets. T


that is that i am doing wrong ?
Click to expand...
No, that's saying about something else - that address translation happens before filter rules are examined, unless you have rdr pass, in which case no additional filter rule is examined.

Anyway, are the rules loaded?
You don't need (route-to). As a matter of fact if you only have those two rules, you don't need the second either as that's there by default.
What's behind those networks? Do you need NAT in other direction as well?
 
I have got 2 gateways on my rl1 interface 192.168.250.31 and 192.168.250.30.

Default gateway is 192.168.250.30. But I want to redirect my openvpn traffic on the second gateway as well as one or two other services. So I came up with this configuration.
Code: 
nat on rl1 from 192.168.35.0/24 to any -> rl1

rdr on rl1 proto tcp from any to 192.168.250.21 port 8081 -> 192.168.35.123
pass out on rl1 route-to (rl1 192.168.250.31) from any to any keep state

#openvpn roule
pass out on rl1 route-to (rl1 192.168.250.31) proto udp from any port 1194 to  any

block proto tcp from any to port 25
 
You must log in or register to reply here.
Back
Top