Re: Traffic redirect no longer working

2010-05-25 Thread Stuart Henderson
i think it's simpler if you write this as one rule: pass in quick on $ext_if proto tcp from $work_hosts to $ssh_host \ port ssh rdr-to $ssh_host modulate state is there any change if you remove 'modulate state'? do you have any other 'match' rules that would apply to these packets?

Re: Traffic redirect no longer working

2010-05-25 Thread Lars Hecking
Stuart Henderson writes: i think it's simpler if you write this as one rule: pass in quick on $ext_if proto tcp from $work_hosts to $ssh_host \ port ssh rdr-to $ssh_host modulate state I've done that after looking at Peter's presentation :) is there any change if you remove

Re: Traffic redirect no longer working

2010-05-25 Thread Lars Hecking
Stuart Henderson writes: i think it's simpler if you write this as one rule: pass in quick on $ext_if proto tcp from $work_hosts to $ssh_host \ port ssh rdr-to $ssh_host modulate state Not quite, since $ssh_host is on the private IP network This is the rule pass in log quick on

Re: Traffic redirect no longer working

2010-05-24 Thread Lars Hecking
lheck...@users.sourceforge.net writes: I've used the same pf.conf for years with only minimal changes, but 4.7 broke it, and I can't seem to fix it. The OBSD machine is a firwall between a cable modem and a private IP LAN. Previously, I used these rules to allow ssh access from specific

Traffic redirect no longer working

2010-05-21 Thread lhecking
I've used the same pf.conf for years with only minimal changes, but 4.7 broke it, and I can't seem to fix it. The OBSD machine is a firwall between a cable modem and a private IP LAN. Previously, I used these rules to allow ssh access from specific Internet hosts to a machine in the LAN:

Re: Traffic redirect no longer working

2010-05-21 Thread Scott McEachern
On 05/21/10 05:37, lheck...@users.sourceforge.net wrote: rdr on $ext_if proto tcp from $work_hosts to any port ssh - $ssh_host pass in quick on $ext_if proto tcp \ from $work_hosts to $ssh_host port ssh flags S/SA modulate state In 4.7, I changed this to match in on $ext_if proto tcp

Re: Traffic redirect no longer working

2010-05-21 Thread Neal Hogan
On Fri, May 21, 2010 at 4:37 AM, lheck...@users.sourceforge.net wrote: I've used the same pf.conf for years with only minimal changes, but 4.7 broke it, and I can't seem to fix it. Reconsider the PF documentation. There have been some changes to the syntax in 4.7. The OBSD machine is a

Re: Traffic redirect no longer working

2010-05-21 Thread Neal Hogan
On Fri, May 21, 2010 at 6:39 AM, Lars Hecking lheck...@users.sourceforge.net wrote: Neal Hogan writes: On Fri, May 21, 2010 at 4:37 AM, lheck...@users.sourceforge.net wrote: ?I've used the same pf.conf for years with only minimal changes, but 4.7 ?broke it, and I can't seem to fix it.