PF Use synproxy with rdr

V

VanAwful

I am using rdr to translate specific ports between two interfaces. Is it possible to use synproxy with this? I am not able to make it work.
 
Synproxy and rdr work fine together. What does not work (or make sense) is synproxying to the localhost, or synproxying on "out" connections (if pf even lets you do that), so if you're doing either of those, don't.

If you post your rules we can help more.
 
Here is an example of what I am attempting to do, a simple port forwarding. What I do not understand is, where to place the synproxy.
Code: 
int_if="en0"
ext_if1="wm0"
ext_if2="wm1"
ext_if3="wm2"
wes_ip="192.168.200.1"

wes_tcp_ports="{4899, 5357, 8000:8999, 10000:49999 }"
wes_udp_ports="{123, 161, 500, 938, 980, 3702, 4500, 5355, 8000:49999}"

nat on $ext_if1 from $int_if:network to any -> ($ext_if1:0)
rdr pass on $ext_if1 inet proto tcp from any to any port $wes_tcp_ports -> $wes_ip flags S/SA synproxy state
rdr pass on $ext_if2 inet proto tcp from any to any port $wes_tcp_ports -> $wes_ip

rdr pass on $ext_if1 inet proto udp from any to any port $wes_udp_ports -> $wes_ip
rdr pass on $ext_if2 inet proto udp from any to any port $wes_udp_ports -> $wes_ip

pass in log all
 
Last edited by a moderator:
Oh, you're doing "rdr pass" instead of separate 'rdr' and 'pass' rules. I don't think you can do that and specify state types (keep/modulate/synproxy) , as I'm pretty sure you're simply limited to using "pass" or not having it there at all. Running pfctl -nf on your ruleset gives me a syntax error on that line, which seems to confirm that unless there's another arrangement that works that I'm unaware of.

What I'd suggest is separating your translation rules from your filtering rules. While it's more concise to keep them together, I'm not a fan of doing so, as combining them bypasses all filtering, including anti-spoofing rules.

Edit: If you want to make sure the 'pass' is only used in conjunction with the 'rdr' rule for additional security, you can use policy based filtering. Search for 'tag' or 'tagged' in the pf.conf(5) man page.
 
`Orum said:
Oh, you're doing "rdr pass" instead of separate 'rdr' and 'pass' rules. I don't think you can do that and specify state types (keep/modulate/synproxy) , as I'm pretty sure you're simply limited to using "pass" or not having it there at all. Running pfctl -nf on your ruleset gives me a syntax error on that line, which seems to confirm that unless there's another arrangement that works that I'm unaware of.

What I'd suggest is separating your translation rules from your filtering rules. While it's more concise to keep them together, I'm not a fan of doing so, as combining them bypasses all filtering, including anti-spoofing rules.

Edit: If you want to make sure the 'pass' is only used in conjunction with the 'rdr' rule for additional security, you can use policy based filtering. Search for 'tag' or 'tagged' in the pf.conf(5) man page.
Click to expand...
Thank you! I like your suggestion and will change it to have translation and rules separate.
 
You must log in or register to reply here.
Back
Top