On Fri, May 21, 2010 at 4:37 AM, <lheck...@users.sourceforge.net> wrote: > I've used the same pf.conf for years with only minimal changes, but 4.7 > broke it, and I can't seem to fix it. >
Reconsider the PF documentation. There have been some changes to the syntax in 4.7. > The OBSD machine is a firwall between a cable modem and a private IP LAN. > Previously, I used these rules to allow ssh access from specific Internet > hosts to a machine in the LAN: > > rdr on $ext_if proto tcp from $work_hosts to any port ssh -> $ssh_host > pass in quick on $ext_if proto tcp \ > from $work_hosts to $ssh_host port ssh flags S/SA modulate state > > In 4.7, I changed this to > > match in on $ext_if proto tcp from $work_hosts to any port ssh rdr-to $ssh_host > pass in quick on $ext_if proto tcp \ > from $work_hosts to $ssh_host port ssh flags S/SA modulate state > > What happens now when I try to connect to $ssh_host from the Internet is quite > weird: > - no blocked packets are logged > - on the firewall's LAN-side interface, a tcpdump shows the ssh connection > being forwarded to $ssh_host > - on $ssh_host, tcpdump shows the incoming ssh connection > - sshd on $ssh_host does not "pick up" > > I can ssh from the firewall to $ssh_host just fine; I haven't tested ssh > from Internet to firewall (with suitable pass rule). What am I missing? > I guess that some packet information isn't being rewritten correctly or > completely. > > > > --------------------------------------------------------------- > This message and any attachments may contain Cypress (or its > subsidiaries) confidential information. If it has been received > in error, please advise the sender and immediately delete this > message. > ---------------------------------------------------------------
