View Single Post
Old 9th July 2009
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,128
Default

I don't understand why you are too lazy to post your updated pf.conf. I you want people to help you, you should help those people

The following two rules are enough to redirect ssh traffic.
Code:
EXT_IF = bge0

set skip on lo0

rdr on $EXT_IF inet proto tcp  from any to any  port 55555 tag SSH -> 192.168.222.11 port 22

# default policy
block log all

pass in quick on $EXT_IF tagged SSH
When testing redirection there are two issues most people run into:
  • Testing from the internal LAN

    As explained in http://www.openbsd.dk/faq/pf/rdr.html#reflect accessing the external IP from the internal LAN does not cause redirection to work.
    You, or a friend, really needs to test from the Internet side.
  • Routing

    The default gateway of the box receiving the redirected traffic should be correct.

    If you redirect traffic to the internal LAN, the internal NIC of the firewall should be set as the default gateway.
    In case you use a DMZ the DMZ NIC of the firewall is the default gateway.

    If you forget this, like I did a couple of times, tcpdump will not show any blocked packets. Running tcpdump on the server NIC will even show the packets coming in.The server just doesn't know how to route the it's answer packets.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote