Date: Wed, 24 Jan 2007 11:39:06 -0200 From: "Gilberto Villani Brito" <linux@giboia.org> To: "FreeBSD (PF)" <freebsd-pf@freebsd.org> Subject: Re: Incoming ssh doesn't quite work Message-ID: <6e6841490701240539j5c403f9dr5a3171fa7716bf3e@mail.gmail.com> In-Reply-To: <bf7af5e50701231023mfec28f9q24ff7c37b1640f13@mail.gmail.com> References: <bf7af5e50701231023mfec28f9q24ff7c37b1640f13@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Lets see your rules: > ---8<--- > ext_if="xl2" > ext_addr="172.16.1.33" > wireless_if="xl1" > wireless_net="192.168.100.0/24" > proxy_addr="192.168.100.1" > > nat on $ext_if from $wireless_net to any port { 22, 443 } -> $ext_if > > rdr on $wireless_if inet proto tcp from any to any port 80 -> > $proxy_addr port 3080 I didn't understand this rule, maybe without that rule, can work. > rdr on $ext_if proto tcp from any to $ext_if port { 22, 80 } -> ($ext_if) > > pass in on $wireless_if inet proto tcp from $wireless_net to any port > { 22, 25, 110, 443, 3080 } keep state > pass in on $ext_if inet proto tcp from any to $ext_addr port { 22, 80 > } flags S/SA synproxy state > This rule is wrong!!! > pass out on $wireless_if inet proto tcp from $wireless_net to any port > { 22, 25, 110, 443, 3080 } keep state The right is: pass out on $wireless_if inet proto tcp from any to $wireless_net port { 22, 25, 110, 443, 3080 } keep state > pass out on $ext_if inet proto tcp from any to any port { 22, 80 } > flags S/SA synproxy state > ---8<--- Gilberto 2007/1/23, Isaac Grover <isaac.grover@gmail.com>: > Good afternoon, > > I have a FreeBSD 6.1 box providing authentication services for a local > wireless hotspot. "ext_if" (xl2) connects to the DSL modem, > "wireless_if" (xl1) connects to the wireless router. Outbound http > and https work just fine, but outbound ssh and inbound ssh don't work > at all. Port forwarding on the DSL modem has been enabled, and I can > see the inbound SSH requests on ext_if, sshd is actively listening on > the required port, but the sshd logs say about connection attempts. > > Is there something else that needs to be configured in pf.conf for > inbound ssh to function correctly? > > ---8<--- > ext_if="xl2" > ext_addr="172.16.1.33" > wireless_if="xl1" > wireless_net="192.168.100.0/24" > proxy_addr="192.168.100.1" > > nat on $ext_if from $wireless_net to any port { 22, 443 } -> $ext_if > > rdr on $wireless_if inet proto tcp from any to any port 80 -> > $proxy_addr port 3080 > rdr on $ext_if proto tcp from any to $ext_if port { 22, 80 } -> ($ext_if) > > pass in on $wireless_if inet proto tcp from $wireless_net to any port > { 22, 25, 110, 443, 3080 } keep state > pass in on $ext_if inet proto tcp from any to $ext_addr port { 22, 80 > } flags S/SA synproxy state > > pass out on $wireless_if inet proto tcp from $wireless_net to any port > { 22, 25, 110, 443, 3080 } keep state > pass out on $ext_if inet proto tcp from any to any port { 22, 80 } > flags S/SA synproxy state > ---8<--- > > Thank you, > -- > Isaac Grover, Owner > Quality Computer Services of River Falls, Wisconsin > Affordable I. T. Consulting, Web Design, and Web Hosting. > Commercial and Residential Inquiries Welcomed. > Web: http://www.qcs-rf.com > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6e6841490701240539j5c403f9dr5a3171fa7716bf3e>