> like to be able to log in to their machine. I've tried setting up
> specific rules that rdr to their machines to no avail. Here are some
> things I've tried:
I'm not quite sure why you are using the rdr rule? I've got the
same requirements as you have described above but no need for rdr.
I am assuming that you are making the user authenticate again after
making any change to the authpf.rules for that particular user.
You should be able to use the following pf.conf and authpf.rules
for your particular needs.
I hope that this helps.
Mark T. Uemura
OpenBSD Support Japan Inc.
www.openbsd-support.com
################################################################################
# OpenBSD 3.7 (Generic) - pf.conf
################################################################################
#-------------------------------------------------------------------------------
# Set up a bunch of variables
# Interface Names & their respective IP addresses
int_if="fxp0" # AAA.AAA.AAA.AAA
ext_if="fxp1" # BBB.BBB.BBB.BBB
loop="lo0"
table <sshscan> persist
table <select_ips> { aaa.aaa.aaa.aaa }
icmp_types = "{ 0 3 8 11 }"
#-------------------------------------------------------------------------------
# Options
set block-policy return
set loginterface $int_if
set loginterface $ext_if
#-------------------------------------------------------------------------------
# Clean up fragmented and abnormal packets
scrub in all no-df random-id fragment reassemble
#-------------------------------------------------------------------------------
# NAT
nat-anchor "authpf/*"
#-------------------------------------------------------------------------------
# Set out default policies (block and log everything)
block in log all
block out log all
#-------------------------------------------------------------------------------
# loopback packets left unmolested
pass quick on $loop all
#-------------------------------------------------------------------------------
#-- $ext_if fxp1 BBB.BBB.BBB.BBB
#-------------------------------------------------------------------------------
antispoof quick for $ext_if inet
block in log quick on $ext_if proto tcp from <sshscan> to any port 22
# PASS IN icmp requests
pass in log on $ext_if inet proto icmp from any to $ext_if icmp-type
$icmp_types keep state
# PASS IN inbound ssh
pass in log on $ext_if inet proto tcp from any to $ext_if port 22 flags S/SA
keep state
# PASS OUT all outbound traffic on $ext_if
pass out log on $ext_if inet proto { tcp, udp, icmp } all keep state
#-------------------------------------------------------------------------------
#-- $int_if fxp0 AAA.AAA.AAA.AAA
#-------------------------------------------------------------------------------
# Block spoofed packets for this interface
antispoof quick for $int_if inet
# PASS IN from internal LAN
pass in quick on $int_if inet proto tcp from <select_ips> to $int_if port 22
flags S/SA keep state
pass in quick on $int_if inet proto icmp from <select_ips> to $int_if icmp-type
$icmp_types keep state
anchor "authpf/*"
################################################################################
# The End
################################################################################
==
################################################################################
# OpenBSD 3.7 (Generic) - authpf.rules
################################################################################
#-------------------------------------------------------------------------------
# Set up a bunch of variables
int_if="fxp0" # AAA.AAA.AAA.AAA
rdcuser_ip="aaa.aaa.aaa.aaa"
rdc="3389"
#-------------------------------------------------------------------------------
nat on $int_if from $user_ip to any -> $int_if
#-------------------------------------------------------------------------------
#-- PASS OUT select outbound traffic on $int_if
#-------------------------------------------------------------------------------
pass out log on $int_if inet proto tcp from $int_if to $rdcuser_ip port $rdc
flags S/SA keep state
################################################################################
# The End
################################################################################
