OpenBSD pf - implementing the equivalent of an iptables DNAT

Posted by chutz on Server Fault See other posts from Server Fault or by chutz
Published on 2012-06-20T03:13:04Z Indexed on 2012/06/20 3:17 UTC
Read the original article Hit count: 231

Filed under:
|

The IP address of an internal service is going to change. We have an OpenBSD access point (ssh + autpf rules) where clients connect and open a connection to the internal IP.

To give us more time to reconfigure all clients to use the new IP address, I thought we can implement the equivalent of a DNAT on the authpf box. Basically, I want to write a rule similar to this iptables rule which lets me ping both $OLD_IP and $NEW_IP.

iptables -t nat -A OUTPUT -d $OLD_IP -j DNAT --to-dest $NEW_IP

Our version of OpenBSD is 4.7, but we can upgrade if necessary. If this DNAT is not possible we can probably do a NAT on a firewall along the way.

The closest I was able to accomplish on a test box is:

pass out on em1 inet proto icmp from any to 10.68.31.99 nat-to 10.68.31.247

Unfortunately, pfctl -s state tells me that nat-to translates the source IP, while I need to translate the destination.

$ sudo pfctl -s state
all icmp 10.68.31.247:7263 (10.68.30.199:13437) -> 10.68.31.99:8       0:0

I also found lots of mentions about rules that start with rdr and include the -> symbol to express the translation, but it looks like this syntax has been obsoleted in 4.7 and I cannot get anything similar to work. Attempts to implement a rdr fail with a complaint that

/etc/pf.conf:20: rdr-to can only be used inbound

© Server Fault or respective owner

Related posts about openbsd

Related posts about pf