• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

PF redirect local outgoing packets

Martian

New Member


Messages: 5

#1
Hello,

I'm trying to setup port multiplexing using sslh importantly I have to use that nice 'transparent' feature that makes traffic from sslh distributed locally to look like it comes from external interface. It looks something like this :


Code:
Browser[A]-----------[http/ssl]-------> sslh[B 443] ------------nginx[C 4443]----> ......
                              IP A -> IP B                             IP A -> IP C  - nginx is in jail :)                

....-----------------> skipped sslh[B 443] --------------------> Browser[A]
 reply back     IP C:4443 -> IP A[some port]     [TRAFFIC IGNORED]
Now of course IP C can't directly connect to IP A because this brakes the session. The jail is behind NAT so actually IP A receives packets that doesn't expect at all.

I tried to add rdr rules to change IP A to IP B:443 instead so that sslh will receive them. It was unsuccessful. Also I tried to add rule to NO NAT for that specific case and again try to redirect. No success again. Then I searched around and found that actually outgoing packets can't be redirected by packet filter. The most interesting discussion I came across was this one from the freebsd mailing lists : https://lists.freebsd.org/pipermail/freebsd-pf/2005-September/001495.html

Unfortunately that didn't work out for me too.

If somebody knows how I could do that I would be grateful! If one would like to see some traces or details around the actual setup I could provide that too.

Regards,
Martin
 

SirDice

Administrator
Staff member
Administrator
Moderator

Thanks: 5,508
Messages: 25,692

#2
I would suggest setting up net/haproxy for load-balancing/multiplexing and offloading the SSL on HAProxy.