[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: rdr with no port?

To: tech@openbsd.org
Subject: Re: rdr with no port?
From: Daniel Hartmeier <daniel@benzedrine.cx>
Date: Fri, 11 Jan 2002 10:54:06 +0100
Content-Disposition: inline
References: <20020111100602.B27547@hermit.omnitel.lan>
User-Agent: Mutt/1.2.5.1i

On Fri, Jan 11, 2002 at 10:06:02AM +0200, Denis A. Doroshenko wrote:

> rdr on fxp0 from any to xxx.xxx.xxx.xxx -> yyy.yyy.yyy.yyy
> 
> that could mean, redirect icmp (anyway not having "port"), udp and tcp
> (keeping port value unchanged) to another ip, i.e. do just address
> mapping. what about such thing? Daniel?

That's what -current does :)

> Date: Mon, 10 Dec 2001 11:08:12 -0700 (MST)
> Changes by:     dhartmei@cvs.openbsd.org

> Log message:
> Add stateful filtering for other (non-TCP/UDP/ICMP) protocol, based on
> source/destination addresses/ports only.
> Add RDR for ICMP. Add NAT/RDR/BINAT for other protocols.
> Destination and redirection port(s) are now optional for RDR rules.
> Not specifying destination port(s) means 'redirect all ports', not
> specifying redirection port(s) means 'redirect to the original port'.

Which allows rules like

    # redirect all traffic to another host (all protocols)
    rdr on kue0 from any to any -> 10.1.2.3

    # redirect all traffic from a certain host to another host
    rdr on kue0 from 62.65.145.30 to any -> 10.1.2.3

    # redirect all tcp ports to a single port on another host
    rdr on kue0 proto tcp from any to any -> 10.1.2.3 port 22

    # redirect a range of ports to the same ports on another host
    rdr on kue0 proto tcp from any to any port 1024:2048 -> 10.1.2.3

    # redirect the GRE protocol to another host
    rdr on kue0 proto gre from any to any -> 10.1.2.3

> #ifdef OFF_SUBJECT
> BTW, saw strange thing: internal interface was up with 10/8 on it,
> external if was down with public IP, with N rules, and anti-spoof R
> rules. internal workstation (with 10/8 address) pinged extrnal if's
> address, and showed that TTL reched 0 in transmission. kinda loop?
> #endif

I'm not sure. What happens when you disable pf in the same situation, do
you get a different result? The packet should only pass the internal if
(and possibly loopback), not the external if, if the destination address
is the fw's own external address.

Daniel

References:
- rdr with no port?
  - From: "Denis A. Doroshenko" <d.doroshenko@omnitel.net>

Prev by Date: Re: sparc-current && /dev/fb
Next by Date: unwanted warnings at boot time
Prev by thread: rdr with no port?
Next by thread: Re: rdr with no port?
Index(es):
- Date
- Thread