On 05/21/10 05:37, [email protected] wrote:
rdr on $ext_if proto tcp from $work_hosts to any port ssh -> $ssh_host pass in quick on $ext_if proto tcp \ from $work_hosts to $ssh_host port ssh flags S/SA modulate stateIn 4.7, I changed this to match in on $ext_if proto tcp from $work_hosts to any port ssh rdr-to $ssh_host pass in quick on $ext_if proto tcp \ from $work_hosts to $ssh_host port ssh flags S/SA modulate state
[...]
I can ssh from the firewall to $ssh_host just fine; I haven't tested ssh from Internet to firewall (with suitable pass rule). What am I missing? I guess that some packet information isn't being rewritten correctly or completely.
Without knowing your details, I'm going to guess you need a pass out rule for your internal interface. Give it a try. I use this:
pass out quick on $int1_if tagged ext_ssh but I also tag the matching incoming traffic. -- - RSM www.erratic.ca
