We have an ipfilter-3.4.35 firewall on a SunFire V210 under Solaris 9 9/04 (compiled on this system), intranet - [bge0 IPF bge1] - internet. In order to prevent SSH attacks from the internet without changing the SSH port on all internal machines, we redirect port 22 to 22222 (blocked by ipf) and only allow a nonstandard port P redirected to 22 by the ipnat rules
rdr bge1 intranet/24 port 22 -> 0 port 22222 tcp rdr bge1 intranet/24 port P -> 0 port 22 tcp Now, when TCP connections (specifially, NFS) are made from the intranet to an external server and the source port happens to be P, the response (AS and A packets) from the server is redirected to port 22 and thus blocked, since this port has not been opened by a previous S packet from the intranet (even if it were open, it would not reach the original client port). This redirection is visible with ipnat -l: RDR intern_client 22 <- -> intern_client 1022 [extern_server 2049] As I understand rdr, such a redirection should only happen if the connection was initiated from the internet by an S packet to port P, not by a reply AS packet.
