012345678901234567890123456789012345678901234567890123456789
Hello,
OpenBSD current amd64
I would like to isolate application from network and also
to make sure that every packet goes to certain port at
certain IP address.
On Linux I achieved that using network namespace, veth,
iptables (destination nat) or nftables (dnat and snat).
So far I have pair of pair devices:
cat /etc/hostname.pair*
inet 172.10.0.1 255.255.255.0 172.10.0.255 rdomain 1 \
description "An isolated Ethernet"
inet 172.10.0.2 255.255.255.0 172.10.0.255
patched together
ifconfig pair1 patch pair2
with default route:
route -T1 add default 172.10.0.2
Commands for programs:
Server
/usr/local/bin/sudo -u user /usr/bin/nc -4 -k -l 172.10.0.2 9191
Commands for programs I would like to intercept/redirect:
Client 1 (port is the same):
/usr/local/bin/sudo /sbin/route -T1 exec /usr/local/bin/sudo \
-u user /usr/bin/nc -4 -v 172.10.0.2 9191
Client 2 (port must be also redirected):
/usr/local/bin/sudo /sbin/route -T1 exec /usr/local/bin/sudo \
-u user /usr/bin/nc -4 -v 172.10.0.2 9192
I struggle with pf rules. Now I have something like that,
but probably wrong:
pass out quick on pair1 inet proto tcp from 172.10.0.1 \
rdr-to 172.10.0.2 port 9040 keep state (floating)
pass out quick on pair1 inet proto udp from 172.10.0.1 \
rdr-to 172.10.0.2 port 9053 keep state (floating)
pass in quick log (all, to pflog0) on pair2 inet proto tcp \
to 172.10.0.2 nat-to pair1
pass in quick log (all, to pflog0) on pair2 inet proto udp \
to 172.10.0.2 nat-to pair1
pass in
pass out
pass out on {pair1,pair2}
pass in on {pair1,pair2}
I have tried with various other pf rules, rtable option,
but none of that had worked.
Do I need rdr-to and nat-to (like in nftables) or
I just could use rdr-to (like in iptables)?
What pf rules should I use?
