1

I'm currently using IPFW on 3 dedicated firewall servers, and I would like to convert them to PF for some of its functionalities, but I need divert to work. Specifically I am teeing packets to a custom application for network analysis purposes.

Is it (or something similar) supported in PF?

Massimiliano Torromeo
  • 291
  • 4
  • 12

3 Answers3

5

If I remember correctly: PF has a special interface for monitoring purposes (pflog). You might wanna consult the manpage for it.

pauska
  • 19,532
  • 4
  • 55
  • 75
  • 1
    Correct you would log the and then use tcpdump or what have you to grab the packet. Details here: http://www.openbsd.org/faq/pf/logging.html Example: pass in log (all, to pflog1) on $ext_if inet proto tcp to $ext_if port 22 keep state – Jeremy Rossi Nov 30 '09 at 20:34
  • Thanks, that's interesting but I would still like to know if there's something more divert-like. – Massimiliano Torromeo Nov 30 '09 at 20:42
  • pf has a "rdr" option, tried looking into that? The PF manual (at openbsd.org) is very good, try it. – pauska Nov 30 '09 at 21:57
  • http://www.openbsd.org/faq/pf/logging.html may be useful – SaveTheRbtz Dec 01 '09 at 19:14
3

No, in OpenBSD v4.6 version, PF has no divert-like feature.

But good news, divert for PF will be included in OpenBSD v4.7 version

See http://www.mail-archive.com/source-changes@openbsd.org/msg11694.html for details. You could try it with OpenBSD-current branch / snapshots.

Foxy
  • 56
  • 1
3

pf does have a command called 'divert-to' that is supposed to provide for local transparent routing. See the pf.conf man page for slightly more details. It appears to be simple but it doesn't seem to want to do what I want it to do: local capture and redirection to a local port of outbound traffic which is locally generated.

Other similar commands which I have tried but to no avail are: 'rdr' which instructs a packet to have a new destination, overwriting the old one... useful for destination nat type applications. 'route-to' which instructs a packet to pass through another location before arriving at its original destination... doesn't accept a port, useful for routers, not so much for proxies.