Hey,
Is there a way to configure authpf to redirect an incoming connection on a
specific port _and_ change the packet's source address so that the new
destination will correctly respond via the firewall?
Quick background: I have a wandering, disorganized, computer-illiterate boss
who needs to send mail from his laptop from any network, without changing
any of his computer's settings. I've set up postfix to handle this, but it's
on a local 192.168.0.0/24 net behind our firewall. of the networks he
needs to be able to send mail from is our local wireless network, same
subnet. When he's on the same subnet as the mail server and tries to send an
email, the connection gets routed to the firewall, which routes it to the
mail server, which then responds directly to his laptop because I can't
convince authpf to change the redirected packet's source address.
I've tried combinations of:
nat on rl0 proto tcp from $user_ip to $ext_ip <http://63.200.94.38port 25
-$int_ip <http://192.168.0.128>
rdr on rl0 proto tcp from $int_ip <http://192.168.0.128to
$ext_ip<http://63.200.94.38>port 25 ->
$smtp_ip <http://192.168.0.251>
(I think I remember reading that authpf loads its rules bottom-up.)
and
rdr on rl0 proto tcp from $int_ip <http://192.168.0.128to
$ext_ip<http://63.200.94.38>port 25 ->
$smtp_ip <http://192.168.0.251>
nat on rl0 proto tcp from $user_ip to $ext_ip <http://63.200.94.38port 25
-$int_ip <http://192.168.0.128>
(Just in case I was wrong.)
and
rdr on rl0 proto tcp from $user_ip to $ext_ip <http://63.200.94.38port 25
-$smtp_ip
nat on rl0 proto tcp from $user_ip to $ext_ip <http://63.200.94.38port 25
-$int_ip <http://192.168.0.128>
(Which doesn't really make much sense to me, but it was worth trying.)
and so on. I've also tried using tagging. Although I'm still not terribly
comfortable with pf, I've read the man pages and sundry how-tos and have
usually been able to figure this stuff out before.
Thanks.
- Rob.

Quick background: I have a wandering, disorganized, computer-illiterate boss
who needs to send mail from his laptop from any network, without changing
any of his computer's settings. I've set up postfix to handle this, but it's
on a local 192.168.0.0/24 net behind our firewall. of the networks he
needs to be able to send mail from is our local wireless network, same
subnet.

So, he's directly on 192.168.0/24, and so is the mail server

I guess he's trying to access the mail server on it's external address,
am I right? You can't redirect a packet back out the interface it was
received on, so that won't work. Either he'll need to use a different
address for each location (which can sometimes be handled by having the
name server hand out different addresses to queries from different
subnets, some popular desktop S will cache the lookups for longer
than you'd like, partly mitigated by stopping 'DNS Client' service),
or the mail server could be moved to a different nic on the firewall,
or nc can be used to forward connections as described in PF FAQ.

authpf doesn't come into the equation here - the same would happen
with ordinary firewall rules.

12/27/05, Stuart Henderson <stu (AT) spacehopper (DOT) orgwrote:

Quick background: I have a wandering, disorganized, computer-illiterate
boss
who needs to send mail from his laptop from any network, without
changing
any of his computer's settings. I've set up postfix to handle this, but
it's
on a local 192.168.0.0/24 net behind our firewall. of the networks
he
needs to be able to send mail from is our local wireless network, same
subnet.

So, he's directly on 192.168.0/24, and so is the mail server

Yeah, exactly.

I guess he's trying to access the mail server on it's external address,
am I right?

Yep.

You can't redirect a packet back out the interface it was
received on, so that won't work. Either he'll need to use a different
address for each location (which can sometimes be handled by having the
name server hand out different addresses to queries from different
subnets, some popular desktop S will cache the lookups for longer
than you'd like, partly mitigated by stopping 'DNS Client' service),
or the mail server could be moved to a different nic on the firewall,
or nc can be used to forward connections as described in PF FAQ.

Thanks, I didn't know about nc. Just based on glancing at its man page,
it'll probably do the trick. If it doesn't, then connecting the mail server
to its own nic on the firewall is a darn good idea that I should've thought
of.

Thanks.
- R.