Hi everyone,
I have a problem with pf redirection. I used this simple setup to reproduce
this issue:
An external host ("HostA") connects to port 55111 on my external interface
($IF_EXT) on my openbsd box. This connection is forwarded to the ssh-port of
an internal Server ("ServerA") using my internal interface ($IF_INT).
To allow this connection through my packet filter, it was my understanding
that I4d have at least 3 options (I am aware that redirection occurs before
filtering):
(1) allow the incoming connection on IF_EXT + allow outgoing connection on
IF_INT:
This is of course working without problems.
(2) using "rdr pass" instead of "rdr":
This works for allowing the incoming connection on $IF_EXT, but I still seem
to need an outgoing rule on $IF_INT.
(3) using "quick" with my rule for $IF_EXT:
Same thing happens as with (2).
Below are the rules I used for (3):
rdr on $IF_EXT inet proto tcp from $HostA to $IF_EXT port 55111 -> 10.2.0.58
port 22
pass in log quick on $IF_EXT inet proto tcp from $HostA to 10.2.0.58
And here is the output from pflog (hostname changed to "HostA"):
Nov 11 05:12:42.874890 rule 12/(match) pass in on xl0: HostA.33844 >
vm-obsd42-1.urban.intra.ssh: [|tcp] (DF)
Nov 11 05:12:42.875015 rule 3/(match) block out on de0: HostA.33844 >
vm-obsd42-1.urban.intra.ssh: [|tcp] (DF)
To verify, here are rules 3 and 12 from pfctl -srvv (external source IP
changed):
@3 block drop out log all
@12 pass in log quick on xl0 inet proto tcp from x.x.x.x to 10.2.0.58 flags
S/SA keep state
I have no problem working around this problem - but I am still curious if I
fundamentally misunderstood something here or if this is not working as
expected. Any ideas?
Thanks
-Urban
