I'm trying to make use of ssh using tun devices.  So I have box A with a tun0 
10.3.10.1/30 creating a tunnel to box B which has a tun10 10.3.10.230

sshd listens on port 2020 on box A.

From box B, ssh 10.3.10.1 -p 2020 works as expected.

Here's my problem.  I'd like to ssh in to box A from box C, in this case 
sitting on 76.17.219.196.  So I set up the following PF rules on box B...

rdr on em0 proto tcp from any to $me port 2020 -> 10.3.10.1 port 2020
pass in route-to tun10 proto tcp from any to 10.3.10.1 port 2020

Now, from box C, ssh $me -p 2020 times out, and the reason why is box A sees 
the traffic coming from 76.17.219.196 and replies out it's default route.  No 
big deal, I should be able to fix that with route-to rules.  So box A gets...

pass out on em0 route-to tun0 proto tcp from any to any port 2020

Ideally this rule would be more specific, but I've been getting looser and 
looser with it trying to see why it won't match.

# tcpdump -i em0 port 2020

listening on em0, link-type EN10MB (Ethernet), capture size 96 bytes
21:44:19.408264 IP 10.3.10.1.xinupageserver > 
c-76-17-219-196.hsd1.mn.comcast.net.49242: S 349765613:349765613(0) ack 
97403528 win 65535 <mss 1460,nop,wscale 1,nop,nop,timestamp 7877043 
175504784,sackOK,eol>
21:44:22.408191 IP 10.3.10.1.xinupageserver > 
c-76-17-219-196.hsd1.mn.comcast.net.49242: S 349765613:349765613(0) ack 
97403528 win 65535 <mss 1460,nop,wscale 1,nop,nop,timestamp 7880043 
175504784,sackOK,eol>

I thought maybe the state table was involved...

# pfctl -s state

no output

Why are packets going out em0 and ignoring my route-to rule?

Ideas, hints, feats of magic?

-- 
Thanks,

Josh Paetzel

PGP: 8A48 EF36 5E9F 4EDA 5A8C 11B4 26F9 01F1 27AF AECB

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply via email to