My firewall has two interfaces towards internet: if_ext{1,2}
and one interface towards my home LAN: if_int.
I want to binat one host (core7) with if_ext2, and
do regular nat for the rest of the hosts on if_ext1.
The ruleset below seems to work fine, except that I cannot
SSH from outside world to core7. All packets go fine until
core7 sends the first reply packet. My current understanding
is that the outgoing packet matches the state created by
the pass rule (#08), therefore rule #05 is not evaluated
at all, and the route-to operation is left undone. I can see
that the packet eventually matches #03 and #02 and is dropped.
How can I fix this? I tried to create a new match rule that
would do the route-to as in #05, in hopes that the match
action is performed also to packets hitting existing states.
But pfctl didn't like it.
# NAT
01 match on $if_ext2 from $core7 to any binat-to $if_ext2
02 match out on $if_ext1 from $home_net_v4 to any nat-to ($if_ext1)
# Block by default
03 block log all
# Incoming on fw internal interface
04 pass in quick on $if_int from $core7 to $fw_ip_addr
05 pass in quick on $if_int from $core7 to any route-to ($if_ext2 $gw2)
06 pass in quick on $if_int from $home_subnet to $fw_ip_addr
07 pass in quick on $if_int from $home_subnet to any route-to ($if_ext1
$gw1)
# Pass incoming SSH to core7
08 pass in quick on $if_ext2 proto tcp to $core7 port ssh
# Pass outgoing traffic
09 pass out quick on $if_int to $home_net_v4
10 pass out quick on $if_ext1 proto tcp from ($if_ext1) modulate state
11 pass out quick on $if_ext1 proto { udp, icmp } from ($if_ext1)
12 pass out quick on $if_ext2 proto tcp from ($if_ext2) modulate state
13 pass out quick on $if_ext2 proto { udp, icmp } from ($if_ext2)
--Teemu
