lheck...@users.sourceforge.net writes: > I've used the same pf.conf for years with only minimal changes, but 4.7 > broke it, and I can't seem to fix it. > > The OBSD machine is a firwall between a cable modem and a private IP LAN. > Previously, I used these rules to allow ssh access from specific Internet > hosts to a machine in the LAN: > > rdr on $ext_if proto tcp from $work_hosts to any port ssh -> $ssh_host > pass in quick on $ext_if proto tcp \ > from $work_hosts to $ssh_host port ssh flags S/SA modulate state > > In 4.7, I changed this to > > match in on $ext_if proto tcp from $work_hosts to any port ssh rdr-to > $ssh_host > pass in quick on $ext_if proto tcp \ > from $work_hosts to $ssh_host port ssh flags S/SA modulate state > > What happens now when I try to connect to $ssh_host from the Internet is > quite > weird: > - no blocked packets are logged > - on the firewall's LAN-side interface, a tcpdump shows the ssh connection > being forwarded to $ssh_host > - on $ssh_host, tcpdump shows the incoming ssh connection > - sshd on $ssh_host does not "pick up" > > I can ssh from the firewall to $ssh_host just fine; I haven't tested ssh > from Internet to firewall (with suitable pass rule). What am I missing? > I guess that some packet information isn't being rewritten correctly or > completely.
I still haven't gotten any further. Thanks to Scott, Neal, and Peter's BSDCan slides, I have rewritten chunks of pf.conf so that it's fully up to date wrt 4.7. The subject of my post is actually incorrect because the redirect is working, which I can verify with tcpdumps of the gateway external and internal interface, pflog, and tcpdump on the target host's interface. Looking at the tcpdumps in wireshark, I only see one-way traffic on the ssh port, i.e. only SYN, but no ACK. It doesn't matter whether the target is e.g a Linux or FreeBSD host. Any idea why this would be happening? I can ssh from the outside to the gw (with suitable pass rules), and from the gw to the internal host. All these observations taken together make it look like pf is mucking up the packets in transit. I'm stumped. All other aspects of the pf config appear to work fine. --------------------------------------------------------------- This message and any attachments may contain Cypress (or its subsidiaries) confidential information. If it has been received in error, please advise the sender and immediately delete this message. ---------------------------------------------------------------
