not-mms/relayd redirection and reflection.md

## relayd redirection and reflection.md

      
    Raw
  

              relayd redirection and reflection.md
            
          
    There is a server running in the LAN and port redirection is used to make it accessible from the internet.
To make this redirection work for clients on the LAN too you have to add an additional NAT rule as suggested in PF FAQ.
If redirection rules are generated by relayd do the following to add an additional NAT rule:

Modify the relevant redirection section in relayd.conf to match and tag packets (see example below).
Add the necessary rules for tagged packets (see example below) following the relayd/* anchor in pf.conf.


## x relayd.conf
# NOTE this is not a full configuration, only related parts are present.

# let's assume that there is a tor node running on the LAN
# that you need to make accessible from the internet and from the LAN on external address

ext_ip="3.1.2.8"
or_port="9001"
dir_port="9030"

table <tor_node> { 192.168.1.50 }


redirect "redirect_or_port" {
    # note that the interface is not specified here,
    # so generated redirection rules match incoming packets on all interfaces
    listen on $ext_ip tcp port $or_port

    forward to <tor_node> check tcp

    # note that it is possible to customize generated redirection rules via pf.conf
    # these rules have to be generated as match rules
    # so besides adding NAT options for the LAN clients
    # it is also necessary to add pass rules for redirections to work
    match pftag REDIRECTED
}

redirect "redirect_dir_port" {
    listen on $ext_ip tcp port $dir_port
    forward to <tor_node> check tcp
    match pftag REDIRECTED
}

# notice that a redirect section is needed for each port of interest
# but the same tag name is used that allows common rules for all redirects in pf.conf

## z pf.conf
# NOTE this is not a full configuration, only related parts are present.

int_if="em0"

#
# ... skipped macros, options and whatever comes prior to relayd anchor
#

# have a look at all the rules
#
#    pfctl -a "*" -sr
#
annchor "relayd/*"

# all redirected packets get tagged - incoming on $ext_if and on $int_if
# but the additional NAT-rule must be applied only for the ones on $int_if
match out on $int_if tagged REDIRECTED received-on $int_if nat-to $int_if

# make sure that the generated match rules are quickly passed
# as if there were no 'match pflog' directive in relayd.conf
pass out quick tagged REDIRECTED
pass in quick tagged REDIRECTED

#
# ... skipped filters
#
	# NOTE this is not a full configuration, only related parts are present.

	# let's assume that there is a tor node running on the LAN
	# that you need to make accessible from the internet and from the LAN on external address

	ext_ip="3.1.2.8"
	or_port="9001"
	dir_port="9030"

	table <tor_node> { 192.168.1.50 }


	redirect "redirect_or_port" {
	# note that the interface is not specified here,
	# so generated redirection rules match incoming packets on all interfaces
	listen on $ext_ip tcp port $or_port

	forward to <tor_node> check tcp

	# note that it is possible to customize generated redirection rules via pf.conf
	# these rules have to be generated as match rules
	# so besides adding NAT options for the LAN clients
	# it is also necessary to add pass rules for redirections to work
	match pftag REDIRECTED
	}

	redirect "redirect_dir_port" {
	listen on $ext_ip tcp port $dir_port
	forward to <tor_node> check tcp
	match pftag REDIRECTED
	}

	# notice that a redirect section is needed for each port of interest
	# but the same tag name is used that allows common rules for all redirects in pf.conf
	# NOTE this is not a full configuration, only related parts are present.

	int_if="em0"

	#
	# ... skipped macros, options and whatever comes prior to relayd anchor
	#

	# have a look at all the rules
	#
	# pfctl -a "*" -sr
	#
	annchor "relayd/*"

	# all redirected packets get tagged - incoming on $ext_if and on $int_if
	# but the additional NAT-rule must be applied only for the ones on $int_if
	match out on $int_if tagged REDIRECTED received-on $int_if nat-to $int_if

	# make sure that the generated match rules are quickly passed
	# as if there were no 'match pflog' directive in relayd.conf
	pass out quick tagged REDIRECTED
	pass in quick tagged REDIRECTED

	#
	# ... skipped filters
	#