Re: can pf be used as a generic tcp proxy?

[Kevin <kkadow_(_at_)_gmail_(_dot_)_com>]

On Thu, 24 Feb 2005 09:34:27 +0000, Marcus Popp <marcus_(_dot_)_popp_(_at_)_247net_(_dot_)_de> wrote:
> On 2005-02-24T02:44, Kevin wrote:
> > On Wed, 23 Feb 2005 22:38:28 +0100, -f <f_(_at_)_obiit_(_dot_)_org> wrote:
> > > i am trying to accomplish the following:
> > > a frined of mine has a ban for a certain site (w.x.y.z)
> > > but can access any other site w/o problems.  what i would
> > > like to do is set up a generic proxy on my firewall to let
> > > him go to w.x.y.z thru my firewall (he is not on my lan):
> > >
> > > my friend's browser -> openbsd-firewall:some port -> w.x.y.z:80
> > > and back.
> > >
> > > is this possible using only pf?
> >
> > While it might be possible using only PF, and doing so would be
> > an interesting exercise,
. . .
> you could just use rdr in your pf.conf.
> 
> Thats sufficient.

Is it?  rdr doesn't rewrite the source IP address, only the
destination (and port),
so you'd also need to add pf binat entries for a funky one-armed NAT on $ext_if.

I'm assuming the "friend" is on a remote network, as is the site to be accessed,
so both the client and the server are on the far side of $ext_if, 
while features
like "rdr" and "binat" work best when you have an "inside" and an "outside"
with the client on one side and the server on the other and the firewall as a
router in the middle of it all.

K
--
I'm not saying that it's not possible, just that it's not advisable.