since i have setup pf if cannot reach the local ssh server anymore. the rules i have are pretty simple:
----------------------------- if_ext="xl0" if_srv="xl1" if_users="xl2" ip_ext="w.x.y.z" ip_http="192.168.0.2" ip_user1="192.168.1.2"
rdr on $if_ext proto tcp from any to $ip_ext port 80 -> $ip_http rdr on $if_ext proto udp from any to $ip_ext port 6502 -> $ip_user1
nat on $if_ext from 192.168.1.0/24 to ! 192.168.1.0/24 -> $ip_ext
block in on $if_ext pass on $if_users pass on $if_srv pass on lo0
pass in on $if_ext proto tcp from any to $ip_ext port 22 keep state ----------------------------
traffic (surfing etc.) from the internal network ($if_users) works fine. but when i try to connect to the sshd daemon on the firewall, it does not respond.
the incoming traffic (port 80/tcp and port 6502/udp) does not pass the firewall.
You don't have any pass rules for those. The rdr rules handle translation, but the "block in on $if_ext" rule drops the packets afterward.
the ssh deamon is up and running, listening on port 22/tcp.
i have 4 ips assigned to the external interface ($if_ext).
I don't see anything obvious about this, but is sshd listening on the right IP (or everything)? Those rules as written can't deal with all 4 IPs at once.
