On 05/21/10 05:37, lheck...@users.sourceforge.net wrote:
rdr on $ext_if proto tcp from $work_hosts to any port ssh -> $ssh_host
pass in quick on $ext_if proto tcp \
from $work_hosts to $ssh_host port ssh flags S/SA modulate state
In 4.7, I changed this to
match in on $ext_if proto tcp from $work_hosts to any port ssh rdr-to $ssh_host
pass in quick on $ext_if proto tcp \
from $work_hosts to $ssh_host port ssh flags S/SA modulate state
[...]
I can ssh from the firewall to $ssh_host just fine; I haven't tested ssh
from Internet to firewall (with suitable pass rule). What am I missing?
I guess that some packet information isn't being rewritten correctly or
completely.
Without knowing your details, I'm going to guess you need a pass out
rule for your internal interface. Give it a try. I use this:
pass out quick on $int1_if tagged ext_ssh
but I also tag the matching incoming traffic.
--
- RSM
www.erratic.ca