# Run multiple services on one port and use PFÃ¢Â€Â™s overload to switch between them



## Carpetsmoker (Nov 13, 2010)

*Run multiple services on one port and use PFâ€™s overload to switch between them*

At work we have a http/https proxy which requires authentication, I would like to access both ssh and a subversion https repository at my server. 
 The easy solution would be to use two IP addresses. I do not have an additional IP address available. 
 Using any port other than 443 also has problems, since thereâ€™re blocked.

As a sidenote, you may be wondering why Iâ€™m not just using http for my subversion access. The reason is that the HTTP proxy we have doesnâ€™t support certain WebDAV extensions that are required.

*The solution*
Use pfâ€™s _overload_ feature to switch between services on a given port.

Using it is simple: 
 I can use svn whenever I need, if I would like to use ssh I open my browser, go to [font=mono]http://94.142.244.51[/font] three times in 42 seconds and I can use ssh. 
 After closing ssh and waiting for a minute will remove my workâ€™s IP from the rdr_ssh table and I can use svn again.

This solution will work for FreeBSD and OpenBSD. The concept can probably be implemented in most other stateful firewalls too.

*/etc/pf.conf*
Simplified ruleset for demonstration purposes


```
# Interface to filter
  if="re0"
  
  # My server's IP
  ip="94.142.244.51"
  
  # IP from my work
  work={"80.246.203.133"}
  
  # Table to keep track of who should be redirected from port 443 to port 22
  table  persist
  
  # Redirect everyone in the rdr_ssh table from port 443 to port 22
  rdr on $if inet proto tcp from  to $ip port https -> $ip port ssh
  
  # Default rules
  block in log
  pass out quick
  
  # Allow traffic on port 443
  pass in on $if proto tcp from any to $ip port https
  
  # Allow traffic on port 80 for svn/ssh "switching", allow it only from my work.
  # Most browsers will try to load /favicon.ico so opening a page once are two
  # connections.
  pass in log quick proto tcp from $work to $ip port http keep state
    (max-src-conn-rate 6/42, overload )
```

*dummy_server.py*
From [font=mono]pf.conf(5)[/font]:


```
For stateful TCP connections, limits on established connections (connec-
       tions which have completed the TCP 3-way handshake) can also be enforced
       per source IP.
  
       max-src-conn 
  	   Limits the maximum number of simultaneous TCP connections which
  	   have completed the 3-way handshake that a single host can make.
  
       max-src-conn-rate  / 
  	   Limit the rate of new connections over a time interval.  The con-
  	   nection rate is an approximation calculated as a moving average.
```

It took me some time to realize that if no service is running on port 80 the connection attempt will just time out and the 3-way handshake is not completed.

You can use Python to start a simple â€œdonothing webserverâ€:


```
#!/usr/bin/env python
  
  from BaseHTTPServer import *
  
  host = '94.142.244.51'
  port = 80
  
  HTTPServer((host, port), BaseHTTPRequestHandler).serve_forever()
```

Or you can use your webserver with a document root of [font=mono]/var/empty/[/font] if you prefer.

*/etc/crontab*
You can also add a crontab entry to flush the table periodically to switch back to svn when youâ€™re done with ssh. To your [font=mono]/etc/crontab[/font] add:


```
*       *      *       *       *       root /sbin/pfctl -t rdr_ssh -T expire 60 > /dev/null 2>&1
```

From [font=mono]pfctl(8)[/font]:


```
-T expire number
                             Delete addresses which had their statistics cleared
                             more than number seconds ago.  For entries which
                             have never had their statistics cleared, number
                             refers to the time they were added to the table.
```
In other words: As long as a connection is open, the address wonâ€™t be removed, but if no connection has been open for 60 seconds the address is removed.

Or, if you prefer, you can manually clear the table with:


```
pfctl -t rdr_ssh -T del
```

*Further reading*
[font=mono]pfctl(8)[/font] 
[font=mono]pf.conf(5)[/font] 
PF userâ€™s guide from the OpenBSD site 
FreeBSD handbook: 30.4 The OpenBSD Packet Filter (PF) and ALTQ


----------

