From owner-freebsd-questions@FreeBSD.ORG Wed Apr 9 22:30:00 2008 Return-Path: Delivered-To: questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E5B96106564A for ; Wed, 9 Apr 2008 22:30:00 +0000 (UTC) (envelope-from josh@tcbug.org) Received: from cenn-smtp.mc.mpls.visi.com (cenn.mc.mpls.visi.com [208.42.156.9]) by mx1.freebsd.org (Postfix) with ESMTP id B7A1B8FC16 for ; Wed, 9 Apr 2008 22:30:00 +0000 (UTC) (envelope-from josh@tcbug.org) Received: from mail.tcbug.org (mail.tcbug.org [208.42.70.163]) by cenn-smtp.mc.mpls.visi.com (Postfix) with ESMTP id 5C2978164 for ; Wed, 9 Apr 2008 17:06:33 -0500 (CDT) Received: from build64.tcbug.org (unknown [208.42.70.167]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.tcbug.org (Postfix) with ESMTPSA id 349A26D9CC5 for ; Wed, 9 Apr 2008 17:06:33 -0500 (CDT) From: Josh Paetzel To: questions@freebsd.org Date: Wed, 9 Apr 2008 17:05:28 -0500 User-Agent: KMail/1.9.7 MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1846052.EGfZOi7WW1"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200804091705.33621.josh@tcbug.org> Cc: Subject: PF appears to ignore packets or at leaaast sees them differently than tcpdump X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Apr 2008 22:30:01 -0000 --nextPart1846052.EGfZOi7WW1 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline I'm trying to make use of ssh using tun devices. So I have box A with a tu= n0=20 10.3.10.1/30 creating a tunnel to box B which has a tun10 10.3.10.230 sshd listens on port 2020 on box A. =46rom box B, ssh 10.3.10.1 -p 2020 works as expected. Here's my problem. I'd like to ssh in to box A from box C, in this case=20 sitting on 76.17.219.196. So I set up the following PF rules on box B... rdr on em0 proto tcp from any to $me port 2020 -> 10.3.10.1 port 2020 pass in route-to tun10 proto tcp from any to 10.3.10.1 port 2020 Now, from box C, ssh $me -p 2020 times out, and the reason why is box A see= s=20 the traffic coming from 76.17.219.196 and replies out it's default route. = No=20 big deal, I should be able to fix that with route-to rules. So box A gets.= =2E. pass out on em0 route-to tun0 proto tcp from any to any port 2020 Ideally this rule would be more specific, but I've been getting looser and= =20 looser with it trying to see why it won't match. # tcpdump -i em0 port 2020 listening on em0, link-type EN10MB (Ethernet), capture size 96 bytes 21:44:19.408264 IP 10.3.10.1.xinupageserver >=20 c-76-17-219-196.hsd1.mn.comcast.net.49242: S 349765613:349765613(0) ack=20 97403528 win 65535 21:44:22.408191 IP 10.3.10.1.xinupageserver >=20 c-76-17-219-196.hsd1.mn.comcast.net.49242: S 349765613:349765613(0) ack=20 97403528 win 65535 I thought maybe the state table was involved... # pfctl -s state no output Why are packets going out em0 and ignoring my route-to rule? Ideas, hints, feats of magic? =2D-=20 Thanks, Josh Paetzel PGP: 8A48 EF36 5E9F 4EDA 5A8C 11B4 26F9 01F1 27AF AECB --nextPart1846052.EGfZOi7WW1 Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.8 (FreeBSD) iEYEABECAAYFAkf9Pa0ACgkQJvkB8Sevrsv4dgCff2+vPyorTr2wbsl8UxQB6seb mSAAoIe9zOVhAThkpmA7OXLBej8+0yHN =S5xx -----END PGP SIGNATURE----- --nextPart1846052.EGfZOi7WW1--