Port forwarding using pf in FreeBSD system

Source: Internet
Author: User
After freebsd9.0 is installed by default, start the pf: pfctl-e prompt: pfctl:/dev/pf: Nosuchfileordirectory. the kernel needs to load the corresponding module: # kldloadpf or modify the startup script rc. conf: pf "YES" pf_rules "/etc/pf. conf "### this is to be confirmed to start pf again prompt: # pfctl-eNo by default after freebsd9.0 is installed, start pf:
Pfctl-e
Tip:
Pfctl:/dev/pf: No such file or directory
The kernel needs to load the corresponding modules:
# Kldload pf
Or modify the startup script rc. conf:
Pf = "YES"
Pf_rules = "/etc/pf. conf" ### this is to be confirmed
When pf is started again, the following message is displayed:
# Pfctl-e
No ALTQ support in kernel
ALTQ related functions disabled
Pf enabled
ALTQ does not work for the moment. After pf is started, no rules are loaded. When the system starts, the configuration is loaded through/etc/pf. conf.
Edit/etc/pf. conf:
Rdr on bge1 proto tcp from any to $ a port 443-> $ B port443
Load configuration:
# Pfctl-f/etc/pf. conf
Port 443 data forwarding is not implemented. Pass TcpdumpView:
# Tcpdump-I bge1-n tcp port 443
The server only receives data packets and does not forward the packets.
Run the following command:
Sysctl-w net. inet. ip. forwarding = 1
You can find that the server starts to forward data, but it cannot be accessed normally.
The tcpdump packet capture command shows that the client sends data packets to the server ($ proxy). after the server forwards data, the destination address returned data packets do not match the data packets sent by the client (source and destination addresses ), the client sends an rst packet to the destination address to terminate the connection.
In summary, address translation is required on the server. Modify as follows:
Rdr pass on bge1 proto tcp from any to $ a port 80-> $ B port80
Nat on bge1 from any to $ B-> $
Restart pfctl and OK.
Note:
If you need net. inet. ip. forwarding = 1 to take effect for a long time, modify/etc/sysctl. conf:
Net. inet. ip. forwarding = 1 #1 = Permit forwarding (routing) of packets
Tcpdump command used in this article:
Tcpdump-I bge1-n host 1.1.1.1 and! Tcp port 23
Tcpdump-I bge1-n-X-s 0 tcp port 80
-X indicates the package content;-s indicates the package display length;-n indicates that no domain name is used.
Note: If you use vpn to dial in and implement packet forwarding, the configuration of pf. conf should be:
Nat on re0 from 192.168.1.0/24 to any-> 1.1.1.1
192.168.1.0/24 is the client address, any is the destination address, and 1.1.1.1 is the address after nat translation.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.