Stupid pf tricks

Key services as non-root..

Because I'm a bit paranoid, and don't like things running as root, and things need to run as root to bind to ports < 1024...

 rdr on $ext_if inet proto udp from any to ($ext_if) port 162 -> 127.0.0.1 port 10162

This means I can run my SNMP trap-catcher bound to 127.0.0.1:10162 as a non-root user, and pf does the dirty work.

"pf proxy"

(Customer) <--> [E](pf proxy)[I] <--> (Destination:D)

• Note.. this is awful. You've been warned.
• E: "ext_if", customer-facing interface, IP: 1.2.3.4
• I: "int_if", destination-facing interface, IP: 2.3.4.5
• D: destination IP: 5.6.7.8

 ext_if="fxp0"
 int_if="fxp1"

 dest_real="5.6.7.8"
 dest_fake="2.3.4.5"

 rdr on $ext_if from any to $dest_fake -> $dest_real
 nat on $int_if from any to $dest_real -> ($int_if)

ORDER OF rdr/nat RULES IS IMPORTANT, SOMEHOW.

Redirecting on a bridge(4) untagging/retagging VLANs on the way

• fxp0: LAN-facing
• fxp1: WAN-facing, valid ("routable") IP: 10.80.0.2/24
• vlan150: vlan 50 vlandev fxp0, no IP
• vlan250: vlan 50 vlandev fxp1, no IP
• bridge0: (vlan150, vlan250)

• Ruleset:

 lan_if="fxp0"
 wan_if="fxp1"
 vlan_if="vlan150"

 localhost="10.80.0.2"

 table <customer> { 10.70.0.0/29 }

 no rdr on $wan_if inet proto tcp from $localhost to any port 80
 rdr inet proto tcp from any to any port 80 -> ($wan_if) port 8008

 pass in quick on $vlan_if route-to ( lo0 127.0.0.1 ) proto tcp from <customer> to ($wan_if) port 8008

Determining Rule Numbers

When you do tcpdump -e and pf reports the rule that the packet matched, you can lookup that rule by using

 pfctl -sr -vv

which will print out a numbered list of the rules (scrub rules and the like, while they show up, don't increment the index, so a simple pfctl -sr and getting line XX won't work).