feld posted:

I challenge you BSDers to a duel. Well, not really, but nobody in #openbsd, #pf, or #freebsd could give me an answer to this question.

Scenario:

Server. Needs the firewall on said server to rewrite packets originating (OUTGOING) from the server. Not passing packets through interfaces. I need packets from the server itself to be rewritten.


rdr inet proto tcp from self to IP -> OTHER_IP

doesnt work.

In Linux:
iptables -A OUTPUT -t nat -d IP -j DNAT --to OTHER_IP

Reason: Internal dev webserver. Going to have developers connect through a SOCKS proxy on the firewall so their traffic to our real webservers gets diverted/rewritten to our internal webserver for mucking about with webserver settings and not messing with production. This is the only way. Hosts file changes, changing DNS servers that points to internal addresses is not viable. Webservers MUST use the hostname/virtualhost or they dont function (heavy Oracle PL/SQL sites, custom site software, requires this to function).

This is the only reasonable way to do it. I currently have it rigged up through a Linux box right now but I'm dying to get this answer for pf.