hairpin nat with pf ?

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

hairpin nat with pf ?

mediomen27
Hi,
anyone know how to configure pf to make hairpin nat ?

Reply | Threaded
Open this post in threaded view
|

Re: hairpin nat with pf ?

Peter Nicolai Mathias Hansteen
On Wed, Mar 01, 2017 at 12:50:39PM +0100, Frank White wrote:
> Hi,
> anyone know how to configure pf to make hairpin nat ?

At first blush, no.

But after a quick web search, I can think of several equally opaque
terms for the same phenomenon. Some more useful than others.

A piece of general advice: Please try to explain what you want to achieve. Do not
assume that the buzzword you heard is an industry-wide standard term.

The somewhat kludgy setups I find searching for the term are certainly
possible to do (or at least produce equivalent functionality) with OpenBSD PF.

I can even think of several tutorials and accompanying slides that deal
with what you are looking for, available right there on the Internet.
And even a book (*cough*).

But start with the PF FAQ, go on to the pf.conf man page and then move
to the other resources if you feel the need to.

--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

Reply | Threaded
Open this post in threaded view
|

Re: hairpin nat with pf ?

Stuart Henderson
In reply to this post by mediomen27
On 2017-03-01, Frank White <[hidden email]> wrote:
> Hi,
> anyone know how to configure pf to make hairpin nat ?

Should be something like this.

pass in quick inet proto tcp to self port 7755 rdr-to $SOMEHOST port 80 tag hairpin
pass out quick inet tagged hairpin nat-to egress:0

Reply | Threaded
Open this post in threaded view
|

Re: hairpin nat with pf ?

mediomen27
yes it works well. But it's very interesting the use of tag.
Is egress:0 the if alias ?



2017-03-01 16:09 GMT+01:00 Stuart Henderson <[hidden email]>:

> On 2017-03-01, Frank White <[hidden email]> wrote:
> > Hi,
> > anyone know how to configure pf to make hairpin nat ?
>
> Should be something like this.
>
> pass in quick inet proto tcp to self port 7755 rdr-to $SOMEHOST port 80
> tag hairpin
> pass out quick inet tagged hairpin nat-to egress:0

Reply | Threaded
Open this post in threaded view
|

Re: hairpin nat with pf ?

Stuart Henderson
On 2017/03/01 17:12, Frank White wrote:
> yes it works well. But it's very interesting the use of tag.

There might be another way to do it, but I stopped looking after I hit
upon one that worked :)

> Is egress:0 the if alias ?

It's the "main" address on the interface, so it's a single consistent
address even if you have aliases. You can of course change it to a
specific address or whatever.