From owner-freebsd-pf@FreeBSD.ORG Wed Jan 24 14:05:45 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id C42B616A401 for ; Wed, 24 Jan 2007 14:05:45 +0000 (UTC) (envelope-from linux@giboia.org) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.187]) by mx1.freebsd.org (Postfix) with ESMTP id 6323213C4BA for ; Wed, 24 Jan 2007 14:05:45 +0000 (UTC) (envelope-from linux@giboia.org) Received: by nf-out-0910.google.com with SMTP id m19so569711nfc for ; Wed, 24 Jan 2007 06:05:44 -0800 (PST) Received: by 10.49.107.8 with SMTP id j8mr2900667nfm.1169645946735; Wed, 24 Jan 2007 05:39:06 -0800 (PST) Received: by 10.49.69.20 with HTTP; Wed, 24 Jan 2007 05:39:06 -0800 (PST) Message-ID: <6e6841490701240539j5c403f9dr5a3171fa7716bf3e@mail.gmail.com> Date: Wed, 24 Jan 2007 11:39:06 -0200 From: "Gilberto Villani Brito" To: "FreeBSD (PF)" In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: Subject: Re: Incoming ssh doesn't quite work X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Jan 2007 14:05:45 -0000 Lets see your rules: > ---8<--- > ext_if="xl2" > ext_addr="172.16.1.33" > wireless_if="xl1" > wireless_net="192.168.100.0/24" > proxy_addr="192.168.100.1" > > nat on $ext_if from $wireless_net to any port { 22, 443 } -> $ext_if > > rdr on $wireless_if inet proto tcp from any to any port 80 -> > $proxy_addr port 3080 I didn't understand this rule, maybe without that rule, can work. > rdr on $ext_if proto tcp from any to $ext_if port { 22, 80 } -> ($ext_if) > > pass in on $wireless_if inet proto tcp from $wireless_net to any port > { 22, 25, 110, 443, 3080 } keep state > pass in on $ext_if inet proto tcp from any to $ext_addr port { 22, 80 > } flags S/SA synproxy state > This rule is wrong!!! > pass out on $wireless_if inet proto tcp from $wireless_net to any port > { 22, 25, 110, 443, 3080 } keep state The right is: pass out on $wireless_if inet proto tcp from any to $wireless_net port { 22, 25, 110, 443, 3080 } keep state > pass out on $ext_if inet proto tcp from any to any port { 22, 80 } > flags S/SA synproxy state > ---8<--- Gilberto 2007/1/23, Isaac Grover : > Good afternoon, > > I have a FreeBSD 6.1 box providing authentication services for a local > wireless hotspot. "ext_if" (xl2) connects to the DSL modem, > "wireless_if" (xl1) connects to the wireless router. Outbound http > and https work just fine, but outbound ssh and inbound ssh don't work > at all. Port forwarding on the DSL modem has been enabled, and I can > see the inbound SSH requests on ext_if, sshd is actively listening on > the required port, but the sshd logs say about connection attempts. > > Is there something else that needs to be configured in pf.conf for > inbound ssh to function correctly? > > ---8<--- > ext_if="xl2" > ext_addr="172.16.1.33" > wireless_if="xl1" > wireless_net="192.168.100.0/24" > proxy_addr="192.168.100.1" > > nat on $ext_if from $wireless_net to any port { 22, 443 } -> $ext_if > > rdr on $wireless_if inet proto tcp from any to any port 80 -> > $proxy_addr port 3080 > rdr on $ext_if proto tcp from any to $ext_if port { 22, 80 } -> ($ext_if) > > pass in on $wireless_if inet proto tcp from $wireless_net to any port > { 22, 25, 110, 443, 3080 } keep state > pass in on $ext_if inet proto tcp from any to $ext_addr port { 22, 80 > } flags S/SA synproxy state > > pass out on $wireless_if inet proto tcp from $wireless_net to any port > { 22, 25, 110, 443, 3080 } keep state > pass out on $ext_if inet proto tcp from any to any port { 22, 80 } > flags S/SA synproxy state > ---8<--- > > Thank you, > -- > Isaac Grover, Owner > Quality Computer Services of River Falls, Wisconsin > Affordable I. T. Consulting, Web Design, and Web Hosting. > Commercial and Residential Inquiries Welcomed. > Web: http://www.qcs-rf.com > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >