OpenBSD pf - implementing the equivalent of an iptables DNAT
- by chutz
The IP address of an internal service is going to change. We have an OpenBSD access point (ssh + autpf rules) where clients connect and open a connection to the internal IP.
To give us more time to reconfigure all clients to use the new IP address, I thought we can implement the equivalent of a DNAT on the authpf box. Basically, I want to write a rule similar to this iptables rule which lets me ping both $OLD_IP and $NEW_IP.
iptables -t nat -A OUTPUT -d $OLD_IP -j DNAT --to-dest $NEW_IP
Our version of OpenBSD is 4.7, but we can upgrade if necessary.
If this DNAT is not possible we can probably do a NAT on a firewall along the way.
The closest I was able to accomplish on a test box is:
pass out on em1 inet proto icmp from any to 10.68.31.99 nat-to 10.68.31.247
Unfortunately, pfctl -s state tells me that nat-to translates the source IP, while I need to translate the destination.
$ sudo pfctl -s state
all icmp 10.68.31.247:7263 (10.68.30.199:13437) -> 10.68.31.99:8 0:0
I also found lots of mentions about rules that start with rdr and include the -> symbol to express the translation, but it looks like this syntax has been obsoleted in 4.7 and I cannot get anything similar to work. Attempts to implement a rdr fail with a complaint that
/etc/pf.conf:20: rdr-to can only be used inbound
