OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Re: pf.conf : rdr-to IF rather than IP

From: Bret S. Lambert (bret.lambertgmail.com)
Date: Sun Aug 29 2010 - 08:15:28 CDT


On Sun, Aug 29, 2010 at 02:05:40PM +0200, Jean-Francois wrote:
> Hello,
>
> I would like to redirect particular ports on the sub-network, not only on one
> ip adress of the subnetwork.
>
> Taking an example, I would like some software that listen to ports on different
> machines with different ip adress without having to change the pf.conf rules
> each time it is needed.

So...you want traffic matching certain criteria duplicated to multiple
IP addresses on your network? Did you try to search for "duplicate"
in the pf.conf man page?

I'm not sure what your ultimate goal is (or how you won't have to do something
when "it is needed"), but, hey; whatever lifts your luggage.

>
> Regards
>
> > If you can explain what you're actually trying to do, rather
> > than talk about how you're thinking of accomplishing it, maybe
> > someone can suggest a way.
> >
> > On 2010-08-28, Jean-Francois <jfsimon1981gmail.com> wrote:
> > > Good evening,
> > >
> > > Is it possible to redirect to an IF or at least an IP range such as
> > > following rules ?
> > >
> > > match in on $ext_if proto tcp from any to any port 1024:32768 \
> > >
> > > rdr-to $int_if
> > >
> > > match in on $ext_if proto tcp from any to any port 1024:32768 \
> > >
> > > rdr-to 192.168.100.0/16
> > >
> > > I am not sure it even makes sense in regard of a redirection in a network
> > > topology but I'll try the question, since it can help to understand.
> > >
> > > I am thinking the probability is very high that a redirection of above
> > > kind needs to copy as many times the packets as wide as the range of ip
> > > is.
> > >
> > > Thanks to help me to understand this point.
> > >
> > > Jean-Frangois