At 05:45 PM 9/15/2005, you wrote:
Dan Swartzendruber wrote:
I have an inbound ssh tunnel to a host on the LAN. Because of an
outbound port restriction at another site, I have a duplicate ssh
tunnel mapped from 443 (https) to 22 (ssh). Both tunnels were
created with "auto-add a firewall rule..." Everything works
fine. I was a little puzzled looking at the rules, as I see this:
TCP * * lanhost 22 *
TCP * * lanhost 22 *
which are presumably the rules for the two tunnels. I was mainly
curious as to why the destination port in both cases is 22, given
that the one tunnel maps from 443 to 22. Is it because pf rule
runs after the inbound nat remaps the destination port number?
That's correct. All NAT takes place before filtering, including
translating public IP's to private ones, and translating ports where
applicable.
okay, thanks.
