I've used the same pf.conf for years with only minimal changes, but 4.7
broke it, and I can't seem to fix it.
The OBSD machine is a firwall between a cable modem and a private IP LAN.
Previously, I used these rules to allow ssh access from specific Internet
hosts to a machine in the LAN:
rdr on $ext_if proto tcp from $work_hosts to any port ssh -> $ssh_host
pass in quick on $ext_if proto tcp \
from $work_hosts to $ssh_host port ssh flags S/SA modulate state
In 4.7, I changed this to
match in on $ext_if proto tcp from $work_hosts to any port ssh rdr-to $ssh_host
pass in quick on $ext_if proto tcp \
from $work_hosts to $ssh_host port ssh flags S/SA modulate state
What happens now when I try to connect to $ssh_host from the Internet is quite
weird:
- no blocked packets are logged
- on the firewall's LAN-side interface, a tcpdump shows the ssh connection
being forwarded to $ssh_host
- on $ssh_host, tcpdump shows the incoming ssh connection
- sshd on $ssh_host does not "pick up"
I can ssh from the firewall to $ssh_host just fine; I haven't tested ssh
from Internet to firewall (with suitable pass rule). What am I missing?
I guess that some packet information isn't being rewritten correctly or
completely.
---------------------------------------------------------------
This message and any attachments may contain Cypress (or its
subsidiaries) confidential information. If it has been received
in error, please advise the sender and immediately delete this
message.
---------------------------------------------------------------
