interesting strangeness with rdr

Thu, 01 Dec 2005 13:34:45 -0800 

Hi.

I've been using pf recently in a way that I haven't really before.
I have a number of machines behind a router, with ssh ports forwarded for each 
of them.

ext_if="xl0"
cluster_if="xl1"
int_if="vr0"
wi_if="ed0"

table <cluster> { 172.16.2.4, 172.16.2.5, 172.16.2.6, 172.16.2.7, 172.16.2.9, 
172.16.2.10 } persist

nat on $ext_if from $cluster_if:network -> ($ext_if)
nat on $ext_if from $int_if:network -> ($ext_if)

rdr on $ext_if proto tcp from any to any port 80   -> <cluster> port 80 
round-robin sticky-address
rdr on $ext_if proto tcp from any to any port 2203 -> 172.16.2.3 port 22 
rdr on $ext_if proto tcp from any to any port 2204 -> 172.16.2.4 port 22
rdr on $ext_if proto tcp from any to any port 2205 -> 172.16.2.5 port 22
rdr on $ext_if proto tcp from any to any port 2206 -> 172.16.2.6 port 22
rdr on $ext_if proto tcp from any to any port 2207 -> 172.16.2.7 port 22
rdr on $ext_if proto tcp from any to any port 2208 -> 172.16.2.8 port 22
rdr on $ext_if proto tcp from any to any port 2209 -> 172.16.2.9 port 22
rdr on $ext_if proto tcp from any to any port 2210 -> 172.16.2.10 port 22
rdr on $ext_if proto tcp from any to any port 2211 -> 172.16.2.11 port 22
pass out keep state


However, when nmap'ing from the outside, i get 
PORT     STATE    SERVICE
2203/tcp open     unknown
2204/tcp open     unknown
2205/tcp open     unknown
2206/tcp filtered unknown
2207/tcp filtered unknown
2208/tcp filtered unknown
2209/tcp filtered unknown
2210/tcp open     unknown
2211/tcp filtered unknown

Sure enough, telnet'ing to those filtered ports timesout, the open
ones work fine. 


Dec 01 14:21:09.986823 rule 0/(match) pass in on xl0: 69.145.82.223.49594 > 
172.16.2.6.22: [|tcp] (DF)
Dec 01 14:21:09.986911 rule 0/(match) pass out on xl1: 69.145.82.223.49594 > 
172.16.2.6.22: [|tcp] (DF)
Dec 01 14:21:12.968245 rule 0/(match) pass out on xl1: 69.145.82.223.49594 > 
172.16.2.6.22: [|tcp] (DF)

or the round robin:

Dec 01 14:22:05.801486 rule 0/(match) pass in on xl0: 69.145.82.223.62989 > 
172.16.2.6.80: [|tcp] (DF)
Dec 01 14:22:05.801572 rule 0/(match) pass out on xl1: 69.145.82.223.62989 > 
172.16.2.6.80: [|tcp] (DF)
Dec 01 14:22:08.798948 rule 0/(match) pass out on xl1: 69.145.82.223.62989 > 
172.16.2.6.80: [|tcp] (DF)

but 2203 works ok:
Dec 01 14:22:42.747068 rule 0/(match) pass out on xl1: 69.145.82.223.58159 > 
172.16.2.3.22: [|tcp] (DF)
Dec 01 14:22:43.130634 rule 0/(match) pass in on xl1: 172.16.2.3.22 > 
69.145.82.223.58159: [|tcp] (DF)
Dec 01 14:22:43.372922 rule 0/(match) pass out on xl1: 69.145.82.223.58159 > 
172.16.2.3.22: [|tcp] (DF)


Suggestions on what to investigate next?
Thanks,
Elliot

Reply via email to