I've used the same pf.conf for years with only minimal changes, but 4.7 broke it, and I can't seem to fix it.
The OBSD machine is a firwall between a cable modem and a private IP LAN. Previously, I used these rules to allow ssh access from specific Internet hosts to a machine in the LAN: rdr on $ext_if proto tcp from $work_hosts to any port ssh -> $ssh_host pass in quick on $ext_if proto tcp \ from $work_hosts to $ssh_host port ssh flags S/SA modulate state In 4.7, I changed this to match in on $ext_if proto tcp from $work_hosts to any port ssh rdr-to $ssh_host pass in quick on $ext_if proto tcp \ from $work_hosts to $ssh_host port ssh flags S/SA modulate state What happens now when I try to connect to $ssh_host from the Internet is quite weird: - no blocked packets are logged - on the firewall's LAN-side interface, a tcpdump shows the ssh connection being forwarded to $ssh_host - on $ssh_host, tcpdump shows the incoming ssh connection - sshd on $ssh_host does not "pick up" I can ssh from the firewall to $ssh_host just fine; I haven't tested ssh from Internet to firewall (with suitable pass rule). What am I missing? I guess that some packet information isn't being rewritten correctly or completely. --------------------------------------------------------------- This message and any attachments may contain Cypress (or its subsidiaries) confidential information. If it has been received in error, please advise the sender and immediately delete this message. ---------------------------------------------------------------