Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

binat with daemon on pf machine

0 views
Skip to first unread message

Bill Johnstone

unread,
Sep 17, 2008, 1:46:15 PM9/17/08
to
Hello.

I have a couple of hosts that I want to to use binat with. However, I would like a daemon running locally on the pf machine to be accessible via a tcp port on one of the external IP addresses. To phrase it another way, for one of the external IP addresses, I want to steal away new connection traffic that is inbound to a specific port and have it go to a daemon on the pf machine directly -- except for that single port, I'd like the standard binat semantics. This would need to be done statefully since if the binat host whose inbound port I'm stealing sends a packet with a source port matching the port that I'm stealing, that connection would still need to get properly translated.

However, I'm not sure how to do this. From reading pf.conf, it seems that the binat rules are parsed first, so if I tried to use an rdr rule to catch and redirect the traffic intended for the local daemon, the rule would never get applied as intended.

I'm also not sure if a "no binat" rule could be used here to do what I want. From the conf file grammar, it appears that there is no provision for supplying a port number in a binat rule.

Is there a (reasonable) way to do what I'm asking?

Thanks.


Martin Toft

unread,
Sep 17, 2008, 2:37:21 PM9/17/08
to
On Wed, Sep 17, 2008 at 10:12:39AM -0700, Bill Johnstone wrote:
> Hello.
>
> I have a couple of hosts that I want to to use binat with. However, I
> would like a daemon running locally on the pf machine to be accessible
> via a tcp port on one of the external IP addresses.

You could do something like this if the local daemon listens on port
10000:

ext_if="lo0"
ext_ip1="192.168.0.2"
ext_ip2="192.168.0.3"
host1="10.0.0.2"
host2="10.0.0.3"

binat on $ext_if from $host1 to any -> $ext_ip1
nat on $ext_if from $host2 to any -> $ext_ip2
rdr on $ext_if inet proto tcp from any to $ext_ip2 port 1:9999 -> $host2
rdr on $ext_if inet proto tcp from any to $ext_ip2 port 10001:65535 -> $host2
rdr on $ext_if inet proto udp from any to $ext_ip2 -> $host2
rdr on $ext_if inet proto icmp from any to $ext_ip2 -> $host2

Please excuse the badly chosen interface and addresses...

Unfortunately, the unary operator != doesn't work with translation
rules, so we cannot do "port != $local_daemon_port".

Martin

Bill Johnstone

unread,
Sep 18, 2008, 8:13:28 PM9/18/08
to
--- On Wed, 9/17/08, Martin Toft <m...@martintoft.dk> wrote:

> You could do something like this if the local daemon
> listens on port
> 10000:
>
> ext_if="lo0"
> ext_ip1="192.168.0.2"
> ext_ip2="192.168.0.3"
> host1="10.0.0.2"
> host2="10.0.0.3"
>
> binat on $ext_if from $host1 to any -> $ext_ip1
> nat on $ext_if from $host2 to any -> $ext_ip2
> rdr on $ext_if inet proto tcp from any to $ext_ip2 port
> 1:9999 -> $host2
> rdr on $ext_if inet proto tcp from any to $ext_ip2 port
> 10001:65535 -> $host2
> rdr on $ext_if inet proto udp from any to $ext_ip2 ->
> $host2
> rdr on $ext_if inet proto icmp from any to $ext_ip2 ->
> $host2

Thanks very much for your solution. If I use static-port with the nat, then these rules essentially construct a binat with the exception as I described. Looks like this is the way I will have to go to accomplish what I asked for.

Cheers.


0 new messages