Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 11 Jan 2008 04:17:16 +0100
From:      Michal Varga <varga.michal@gmail.com>
To:        Rodrique Heron <swygue@rodhouse.org>
Cc:        freebsd-pf@freebsd.org
Subject:   Re: Forwarding another host
Message-ID:  <1200021436.36543.40.camel@xenon>
In-Reply-To: <1a5f1a2d0801101837r338b5453m7a8f673e3b03833e@mail.gmail.com>
References:  <4784F7E3.3060508@rodhouse.org> <1199919114.59461.10.camel@xenon> <1a5f1a2d0801100501j664f6b81sebe866b986a05500@mail.gmail.com> <1199977668.36543.12.camel@xenon> <1a5f1a2d0801100910r1316d24dibb2b12720dfda207@mail.gmail.com> <1200009515.36543.27.camel@xenon> <1a5f1a2d0801101837r338b5453m7a8f673e3b03833e@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 

On Thu, 2008-01-10 at 21:37 -0500, Rodrique Heron wrote:
> 



> Sorry for the duplicate, I forgot to CC the list.
> 
> Both host are in the same broadcast domain,connected to the same
> switch.
> 
>  INTERNET
>     |
>     |
>  PIX Firewall
>     |
>     | 
>  SWITCH*---*HOSTA 192.168.2.14
>    *
>    |
>    |
>    *
>   HOSTB 192.168.2.27
> 
> 
> ###  /etc/pf.conf
> ext_if = "em0"
> int_if = "lo0"
> 
> host_ip = "192.168.2.14"
> jail_ip = "192.168.2.18"
> external_host = "192.168.2.27"
> 
> rdr on $ext_if proto tcp from any to $host_ip port 22 ->
> $external_host port 22 
> rdr on $ext_if proto tcp from any to $host_ip port 26 -> $jail_ip port
> 22
> 
> pass in quick all
> pass out quick all 
> 
Ok, so if I understand this correctly, you are trying to redirect
incoming connections from the internet through HOSTA to HOSTB. The
problem I see is that you don't translate your packets on the way back,
so something like this happens (we will call the INTERNET/PIX as
HOST-X):

1. HOST-X sends ssh request to HOST-A

2. HOST-A redirects the request to HOST-B

3. HOST-B sees that there is a request to ssh from HOST-X (remember, the
packet was redirected, not translated to look as if it originated from
HOST-A)

4. So HOST-B opens the ssh connection and sends a reply to HOST-X - I'm
ready.

5. HOST-X now sees that HOST-B is replying with "here is your ssh", but
HOST-X contacted HOST-A in the first place, no HOST-B, so it discards
this connection, he doesn't know why some HOST-B is sending him
anything.


It's 4.15 AM here so I hope I didn't get the scenario wrong, but if this
is the case, I think your problem is obvious..

m.

> 
-- 
Michal Varga <varga.michal@gmail.com>
Stonehenge

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1200021436.36543.40.camel>