Simon Žekar - unix, communications, stupidities » pf http://simon.zekar.com "Unix is simple, but it takes a genious to understand the simplicity" --Dennis Ritchie Fri, 23 Apr 2010 22:11:08 +0000 http://wordpress.org/?v=2.8.4 en hourly 1 FreeBSD massive port forwarding http://simon.zekar.com/2009/02/07/freebsd-massive-port-forwarding/ http://simon.zekar.com/2009/02/07/freebsd-massive-port-forwarding/#comments Sat, 07 Feb 2009 20:15:08 +0000 sIMON http://simon.zekar.com/?p=68 Portfwd was the choice of software when I ever needed to forward a port from the server to another server – multiple hops away (not NAT port mapping).

It uses configuration like this (193.2.1.66 is the local ip, 193.2.1.80 is destination server IP):

bind-address 193.2.1.66
tcp { 55443 { => 193.2.1.80:443 } }
tcp { 55022 { => 193.2.1.80:22 } }

But it fails doing its job right when you use this on a really busy port/service (500 or more simultaneous established TCP connections).

pf does the forwarding well even over 1000 TCP connections. Example:

rdr on em0 proto tcp from any to 193.2.1.66 port 55443 -> 193.2.1.80 port 443
rdr on em0 proto tcp from any to 193.2.1.66 port 55022 -> 193.2.1.80 port 22
nat on em0 from any to 193.2.1.80 -> 193.2.1.66

- the em0 is the name of the outside interface. Without the nat rule, destination server would see a packet with source ip of the client so it would send a packet back directly to the client which causes asymmetric routing and very possible problems. The nat rule changes the source IP to the port forwarders one.

Happy forwarding,
S.

]]> http://simon.zekar.com/2009/02/07/freebsd-massive-port-forwarding/feed/ 0