[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Yet Another PF (authpf) Question.

To: misc_(_at_)_openbsd_(_dot_)_org
Subject: Yet Another PF (authpf) Question.
From: Rob <robsheldon_(_at_)_gmail_(_dot_)_com>
Date: Mon, 26 Dec 2005 23:30:00 -0800

Hey,

Is there a way to configure authpf to redirect an incoming connection on a
specific port _and_ change the packet's source address so that the new
destination will correctly respond via the firewall?

Quick background: I have a wandering, disorganized, computer-illiterate boss
who needs to send mail from his laptop from any network, without changing
any of his computer's settings. I've set up postfix to handle this, but it's
on a local 192.168.0.0/24 net behind our firewall. One of the networks he
needs to be able to send mail from is our local wireless network, same
subnet. When he's on the same subnet as the mail server and tries to send an
email, the connection gets routed to the firewall, which routes it to the
mail server, which then responds directly to his laptop because I can't
convince authpf to change the redirected packet's source address.

I've tried combinations of:

nat on rl0 proto tcp from $user_ip to $ext_ip <http://63.200.94.38> port 25
-> $int_ip <http://192.168.0.128>
rdr on rl0 proto tcp from $int_ip <http://192.168.0.128> to
$ext_ip<http://63.200.94.38>port 25 ->
$smtp_ip <http://192.168.0.251>
(I think I remember reading that authpf loads its rules bottom-up.)

...and...

rdr on rl0 proto tcp from $int_ip <http://192.168.0.128> to
$ext_ip<http://63.200.94.38>port 25 ->
$smtp_ip <http://192.168.0.251>
nat on rl0 proto tcp from $user_ip to $ext_ip <http://63.200.94.38> port 25
-> $int_ip <http://192.168.0.128>
(Just in case I was wrong.)

...and...

rdr on rl0 proto tcp from $user_ip to $ext_ip <http://63.200.94.38> port 25
-> $smtp_ip
nat on rl0 proto tcp from $user_ip to $ext_ip <http://63.200.94.38> port 25
-> $int_ip <http://192.168.0.128>
(Which doesn't really make much sense to me, but it was worth trying.)

...and so on. I've also tried using tagging. Although I'm still not terribly
comfortable with pf, I've read the man pages and sundry how-tos and have
usually been able to figure this stuff out before.

Thanks.

- Rob.

Prev by Date: Re: Bug Hunting 101 - Finding "The" Alpha Bug
Next by Date: Re: erratic networking problem
Previous by thread: Re: a stupid question, and OT to boot
Next by thread: ip_forward() function
Index(es):
- Date
- Thread

Visit your host, monkey.org