Difference between revisions of "Stupid pf tricks"
Jump to navigation
Jump to search
m (5 revisions) |
|||
(One intermediate revision by the same user not shown) | |||
Line 1: | Line 1: | ||
+ | == Key services as non-root.. == | ||
+ | Because I'm a bit paranoid, and don't like things running as root, and things need to run as root to bind to ports < 1024... | ||
+ | |||
+ | rdr on $ext_if inet proto udp from any to ($ext_if) port 162 -> 127.0.0.1 port 10162 | ||
+ | |||
+ | This means I can run my SNMP trap-catcher bound to 127.0.0.1:10162 as a non-root user, and pf does the dirty work. | ||
+ | |||
+ | |||
== "pf proxy" == | == "pf proxy" == | ||
Latest revision as of 21:48, 4 January 2013
Key services as non-root..
Because I'm a bit paranoid, and don't like things running as root, and things need to run as root to bind to ports < 1024...
rdr on $ext_if inet proto udp from any to ($ext_if) port 162 -> 127.0.0.1 port 10162
This means I can run my SNMP trap-catcher bound to 127.0.0.1:10162 as a non-root user, and pf does the dirty work.
"pf proxy"
(Customer) <--> [E](pf proxy)[I] <--> (Destination:D)
- Note.. this is awful. You've been warned.
- E: "ext_if", customer-facing interface, IP: 1.2.3.4
- I: "int_if", destination-facing interface, IP: 2.3.4.5
- D: destination IP: 5.6.7.8
ext_if="fxp0" int_if="fxp1" dest_real="5.6.7.8" dest_fake="2.3.4.5" rdr on $ext_if from any to $dest_fake -> $dest_real nat on $int_if from any to $dest_real -> ($int_if)
ORDER OF rdr/nat RULES IS IMPORTANT, SOMEHOW.
Redirecting on a bridge(4) untagging/retagging VLANs on the way
- fxp0: LAN-facing
- fxp1: WAN-facing, valid ("routable") IP: 10.80.0.2/24
- vlan150: vlan 50 vlandev fxp0, no IP
- vlan250: vlan 50 vlandev fxp1, no IP
- bridge0: (vlan150, vlan250)
- Ruleset:
lan_if="fxp0" wan_if="fxp1" vlan_if="vlan150" localhost="10.80.0.2" table <customer> { 10.70.0.0/29 } no rdr on $wan_if inet proto tcp from $localhost to any port 80 rdr inet proto tcp from any to any port 80 -> ($wan_if) port 8008 pass in quick on $vlan_if route-to ( lo0 127.0.0.1 ) proto tcp from <customer> to ($wan_if) port 8008
Determining Rule Numbers
When you do tcpdump -e and pf reports the rule that the packet matched, you can lookup that rule by using
pfctl -sr -vv
which will print out a numbered list of the rules (scrub rules and the like, while they show up, don't increment the index, so a simple pfctl -sr and getting line XX won't work).