The company I work for has a /26 subnet, and we have several servers (httpd, mail, ftp, ssh, etc..) that I need to poke hole in the firewall to allow access.
Basic setup:
OBSD v5.4
em0 = Internet connection (all /26 public IP's are aliased in /etc/hostname.em0)
em1 = future DMZ
em2 = LAN (192.168.0.xxx)
Right now everything is on the LAN, my workstation and the servers.
I have a rule on the firewall that allows SSH access to my workstation as follows:
This works 100%
This is the result from tcpdump:
Code:
rule 2/(match) match in on em0: 72.38.43.86.2776 > 50.x.x.x.22:
rule 13/(match) pass in on em0: 72.38.43.86.2776 > 192.168.0.191.22:
rule 11/(match) pass out on em2: 72.38.43.86.2776 > 192.168.0.191.22:
These are the rules in pf.conf that match:
Code:
RULE #2: match in log all scrub (no-df)
RULE #13: pass in log on egress inet proto { tcp, udp } to $testing_pub_ip port { ssh } rdr-to $bsd_matt
RULE #11: pass in log on { $int_if }
As I said this works perfectly. What doesn't work if I add a rule to allow a hole for another computer. (i.e. ssh access to a different computer)
New Line:
Code:
pass in log on egress inet proto { tcp, udp } to $sync_pub_ip port { ssh } rdr-to $netfs
tcpdump looks like its working:
rule 2/(match) match in on em0: 72.38.43.86.3553 > 50.x.x.x.22
rule 15/(match) pass in on em0: 72.38.43.86.3553 > 192.168.0.152.22
rule 11/(match) pass out on em2: 72.38.43.86.3553 > 192.168.0.152.22
But the server at 192.168.0.152 never sees the ssh attempt. By watching:
tail -f /var/log/auth.log
So in summary:
I have a line in my pf.conf that works perfectly, but it only connects to one computer. When I edit it to connect to other computers it doesn't work..