i think it's simpler if you write this as one rule:
pass in quick on $ext_if proto tcp from $work_hosts to $ssh_host \
port ssh rdr-to $ssh_host modulate state
is there any change if you remove 'modulate state'?
do you have any other 'match' rules that would apply to these packets?
reduce the ruleset to the minimum needed for the redirection and anything
critical; if it still shows the problem then it would be useful to post
the ruleset.
On 2010-05-25, Lars Hecking <lheck...@users.sourceforge.net> wrote:
> lheck...@users.sourceforge.net writes:
>> I've used the same pf.conf for years with only minimal changes, but 4.7
>> broke it, and I can't seem to fix it.
>>
>> The OBSD machine is a firwall between a cable modem and a private IP LAN.
>> Previously, I used these rules to allow ssh access from specific Internet
>> hosts to a machine in the LAN:
>>
>> rdr on $ext_if proto tcp from $work_hosts to any port ssh -> $ssh_host
>> pass in quick on $ext_if proto tcp \
>> from $work_hosts to $ssh_host port ssh flags S/SA modulate state
>>
>> In 4.7, I changed this to
>>
>> match in on $ext_if proto tcp from $work_hosts to any port ssh rdr-to
>> $ssh_host
>> pass in quick on $ext_if proto tcp \
>> from $work_hosts to $ssh_host port ssh flags S/SA modulate state
>>
>> What happens now when I try to connect to $ssh_host from the Internet is
>> quite
>> weird:
>> - no blocked packets are logged
>> - on the firewall's LAN-side interface, a tcpdump shows the ssh connection
>> being forwarded to $ssh_host
>> - on $ssh_host, tcpdump shows the incoming ssh connection
>> - sshd on $ssh_host does not "pick up"
>>
>> I can ssh from the firewall to $ssh_host just fine; I haven't tested ssh
>> from Internet to firewall (with suitable pass rule). What am I missing?
>> I guess that some packet information isn't being rewritten correctly or
>> completely.
>
> I still haven't gotten any further.
>
> Thanks to Scott, Neal, and Peter's BSDCan slides, I have rewritten chunks
> of pf.conf so that it's fully up to date wrt 4.7. The subject of my post
> is actually incorrect because the redirect is working, which I can verify
> with tcpdumps of the gateway external and internal interface, pflog, and
> tcpdump on the target host's interface.
>
> Looking at the tcpdumps in wireshark, I only see one-way traffic on the
> ssh port, i.e. only SYN, but no ACK. It doesn't matter whether the target
> is e.g a Linux or FreeBSD host. Any idea why this would be happening?
>
> I can ssh from the outside to the gw (with suitable pass rules), and from
> the gw to the internal host. All these observations taken together make
> it look like pf is mucking up the packets in transit.
>
> I'm stumped. All other aspects of the pf config appear to work fine.
>
>
>
> ---------------------------------------------------------------
> This message and any attachments may contain Cypress (or its
> subsidiaries) confidential information. If it has been received
> in error, please advise the sender and immediately delete this
> message.
> ---------------------------------------------------------------
