Hello dear OpenBSD Folks,
I'm trying to use PF's divert-packet feature at inbound connections.
I have a simple config:
LAN side : vlan10
WAN side : pppoe0
Divert's man page sample C code is running at port raw:700
My pf.conf (Not all lines...)
set skip on { lo0 }
set block-policy drop
#
block log all
pass in log quick on vlan10 inet proto icmp from vlan10:network to any
pass in log quick on vlan10 inet proto udp from vlan10:network to
<allowed_dns_servers> port 53
pass in log quick on vlan10 inet proto tcp from 10.10.10.10 to any port { 80
443 } divert-packet port 700
pass out log quick on egress inet from 10.10.10.10 to any nat-to (egress)
#
pass out from (vlan10)
pass out from (pppoe0)
Here divert logs by divert.c program
# ./divert
10.10.10.10:53317 -> 129.128.5.194:443
10.10.10.10:53317 -> 129.128.5.194:443
10.10.10.10:53317 -> 129.128.5.194:443
10.10.10.10:53317 -> 129.128.5.194:443
10.10.10.10:53317 -> 129.128.5.194:443
10.10.10.10:53317 -> 129.128.5.194:443
10.10.10.10:53317 -> 129.128.5.194:443
10.10.10.10:53315 -> 129.128.5.194:443
10.10.10.10:53316 -> 129.128.5.194:443
10.10.10.10:53317 -> 129.128.5.194:443
Here log from tcpdump.
rule 5/(match) pass in on vlan10: 10.10.10.10.53317 > 129.128.5.194.443: S
3698415379:3698415379(0) win 65535 <mss 1460,nop,wscale 6,nop,nop,timestamp
988128219 0,sackOK,eol> (DF)
But no web page is displayed while ingress divert-packet rule is online.
If i write divert-packet rules as outbound; it's ok. But this is not what i
want. Because of the NAT's nature; i can not see my-private-ip-address as the
source.
Has PF support for ingress divert-packet rules?
Or is it possible to (use) divert-packet before NAT operations at egress
interface?
Thanks in advance.
--
Best Regards
Anton
