Jason Dixon wrote:
I'm working with a fairly sizable ruleset with a lot of inter-VLAN
routing, so I've chosen to implement if-bound stateful tracking with
anchors and tagging. For some reason, PF is failing to route the
binat traffic to the internal host. In a typical case, the firewall
itself accepts SSH connections for a binat alias on carp0 that it
*should* be passing on into the internal address instead. What's
really strange is that I can see the state counter increment for the
filter rule, but not the binat.
Because binat changes the dest ip to your internal network, you need to
pass based upon the internal ip destination
The relevant anchor file:
# Filter rules
pass in on $ext_if inet proto tcp from any to $shell_ext port
$shell_tcp_svcs flags S/SA tag DMZ_IN modulate state
pass in on $ext_if inet proto tcp from any to $shell_int port
$shell_tcp_svcs .....
pass in on $ext_if inet proto icmp from any to $shell_ext icmp-type
echoreq tag DMZ_IN keep state
pass out quick on $int_if tagged DMZ_IN keep state
pass in on $int_if tag DMZ keep state
Thanks,
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net
