> like to be able to log in to their machine. I've tried setting up > specific rules that rdr to their machines to no avail. Here are some > things I've tried:
I'm not quite sure why you are using the rdr rule? I've got the same requirements as you have described above but no need for rdr. I am assuming that you are making the user authenticate again after making any change to the authpf.rules for that particular user. You should be able to use the following pf.conf and authpf.rules for your particular needs. I hope that this helps. Mark T. Uemura OpenBSD Support Japan Inc. www.openbsd-support.com ################################################################################ # OpenBSD 3.7 (Generic) - pf.conf ################################################################################ #------------------------------------------------------------------------------- # Set up a bunch of variables # Interface Names & their respective IP addresses int_if="fxp0" # AAA.AAA.AAA.AAA ext_if="fxp1" # BBB.BBB.BBB.BBB loop="lo0" table <sshscan> persist table <select_ips> { aaa.aaa.aaa.aaa } icmp_types = "{ 0 3 8 11 }" #------------------------------------------------------------------------------- # Options set block-policy return set loginterface $int_if set loginterface $ext_if #------------------------------------------------------------------------------- # Clean up fragmented and abnormal packets scrub in all no-df random-id fragment reassemble #------------------------------------------------------------------------------- # NAT nat-anchor "authpf/*" #------------------------------------------------------------------------------- # Set out default policies (block and log everything) block in log all block out log all #------------------------------------------------------------------------------- # loopback packets left unmolested pass quick on $loop all #------------------------------------------------------------------------------- #-- $ext_if fxp1 BBB.BBB.BBB.BBB #------------------------------------------------------------------------------- antispoof quick for $ext_if inet block in log quick on $ext_if proto tcp from <sshscan> to any port 22 # PASS IN icmp requests pass in log on $ext_if inet proto icmp from any to $ext_if icmp-type $icmp_types keep state # PASS IN inbound ssh pass in log on $ext_if inet proto tcp from any to $ext_if port 22 flags S/SA keep state # PASS OUT all outbound traffic on $ext_if pass out log on $ext_if inet proto { tcp, udp, icmp } all keep state #------------------------------------------------------------------------------- #-- $int_if fxp0 AAA.AAA.AAA.AAA #------------------------------------------------------------------------------- # Block spoofed packets for this interface antispoof quick for $int_if inet # PASS IN from internal LAN pass in quick on $int_if inet proto tcp from <select_ips> to $int_if port 22 flags S/SA keep state pass in quick on $int_if inet proto icmp from <select_ips> to $int_if icmp-type $icmp_types keep state anchor "authpf/*" ################################################################################ # The End ################################################################################ == ################################################################################ # OpenBSD 3.7 (Generic) - authpf.rules ################################################################################ #------------------------------------------------------------------------------- # Set up a bunch of variables int_if="fxp0" # AAA.AAA.AAA.AAA rdcuser_ip="aaa.aaa.aaa.aaa" rdc="3389" #------------------------------------------------------------------------------- nat on $int_if from $user_ip to any -> $int_if #------------------------------------------------------------------------------- #-- PASS OUT select outbound traffic on $int_if #------------------------------------------------------------------------------- pass out log on $int_if inet proto tcp from $int_if to $rdcuser_ip port $rdc flags S/SA keep state ################################################################################ # The End ################################################################################