[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: can pf be used as a generic tcp proxy?
- To: misc_(_at_)_openbsd_(_dot_)_org
- Subject: Re: can pf be used as a generic tcp proxy?
- From: Kevin <kkadow_(_at_)_gmail_(_dot_)_com>
- Date: Thu, 24 Feb 2005 04:23:11 -0600
- Reply-to: Kevin <kkadow_(_at_)_gmail_(_dot_)_com>
On Thu, 24 Feb 2005 09:34:27 +0000, Marcus Popp <marcus_(_dot_)_popp_(_at_)_247net_(_dot_)_de> wrote:
> On 2005-02-24T02:44, Kevin wrote:
> > On Wed, 23 Feb 2005 22:38:28 +0100, -f <f_(_at_)_obiit_(_dot_)_org> wrote:
> > > i am trying to accomplish the following:
> > > a frined of mine has a ban for a certain site (w.x.y.z)
> > > but can access any other site w/o problems. what i would
> > > like to do is set up a generic proxy on my firewall to let
> > > him go to w.x.y.z thru my firewall (he is not on my lan):
> > >
> > > my friend's browser -> openbsd-firewall:some port -> w.x.y.z:80
> > > and back.
> > >
> > > is this possible using only pf?
> > While it might be possible using only PF, and doing so would be
> > an interesting exercise,
. . .
> you could just use rdr in your pf.conf.
> Thats sufficient.
Is it? rdr doesn't rewrite the source IP address, only the
destination (and port),
so you'd also need to add pf binat entries for a funky one-armed NAT on $ext_if.
I'm assuming the "friend" is on a remote network, as is the site to be accessed,
so both the client and the server are on the far side of $ext_if,
like "rdr" and "binat" work best when you have an "inside" and an "outside"
with the client on one side and the server on the other and the firewall as a
router in the middle of it all.
I'm not saying that it's not possible, just that it's not advisable.
Visit your host, monkey.org