Dan Swartzendruber wrote:
I have an inbound ssh tunnel to a host on the LAN. Because of an
outbound port restriction at another site, I have a duplicate ssh
tunnel mapped from 443 (https) to 22 (ssh). Both tunnels were created
with "auto-add a firewall rule..." Everything works fine. I was a
little puzzled looking at the rules, as I see this:
TCP * * lanhost 22 *
TCP * * lanhost 22 *
which are presumably the rules for the two tunnels. I was mainly
curious as to why the destination port in both cases is 22, given that
the one tunnel maps from 443 to 22. Is it because pf rule runs after
the inbound nat remaps the destination port number?
That's correct. All NAT takes place before filtering, including
translating public IP's to private ones, and translating ports where
applicable.
-cmb
