PF temporary reroute to different IP

Question

I have a FreeBSD host that serves as an entry point to additional systems on an internal network. As such I have pf configured to redirect incoming traffic on certain ports (say, port 5000) to the host local address on one of the jails running a network service on that machine. This looks like this:

---port 5000--->[Main host]
                     |
                     |---port 5000--->[Machine A]
                     |~~~~~~~~~~~~~~~~[Machine B]

The redirection is performed by the PF rule:

rdr pass on egress proto tcp from any to $IP port 5000 -> $MACHINE_A_IP

This is the state I almost always want, and that is what is configured by default. However, I'd like to sometimes temporarily redirect port 5000 to the Machine B, like this:

---port 5000--->[Main host]
                     |
                     |~~~~~~~~~~~~~~~~[Machine A]
                     |---port 5000--->[Machine B]

I've tried setting up PF anchors to facilitate this, but as I'm new to PF I find it hard to parse documentation to cover this use case.

How do I issue dynamic PF rules on the main host to temporarily redirect 5000 from Machine A to Machine B?

Answer 1

The proper way to achieve this is to use table as a target for redirection. You can change content of table without reloading pf using pfctl. Just be aware that existing firewall states will keep forwarding traffic to the old host until tcp streams are closed or udp "streams" timeout.