From owner-freebsd-pf@FreeBSD.ORG Fri Jan 11 13:18:37 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id F1C0C16A417 for ; Fri, 11 Jan 2008 13:18:37 +0000 (UTC) (envelope-from swygue@rodhouse.org) Received: from fk-out-0910.google.com (fk-out-0910.google.com [209.85.128.189]) by mx1.freebsd.org (Postfix) with ESMTP id 618D813C4D3 for ; Fri, 11 Jan 2008 13:18:36 +0000 (UTC) (envelope-from swygue@rodhouse.org) Received: by fk-out-0910.google.com with SMTP id b27so992932fka.11 for ; Fri, 11 Jan 2008 05:18:35 -0800 (PST) Received: by 10.78.142.14 with SMTP id p14mr3732938hud.75.1200057515497; Fri, 11 Jan 2008 05:18:35 -0800 (PST) Received: by 10.78.146.17 with HTTP; Fri, 11 Jan 2008 05:18:35 -0800 (PST) Message-ID: <1a5f1a2d0801110518i398793a9u84a4c8924f62bcde@mail.gmail.com> Date: Fri, 11 Jan 2008 08:18:35 -0500 From: "Rodrique Heron" To: "Michal Varga" In-Reply-To: <1200021436.36543.40.camel@xenon> MIME-Version: 1.0 References: <4784F7E3.3060508@rodhouse.org> <1199919114.59461.10.camel@xenon> <1a5f1a2d0801100501j664f6b81sebe866b986a05500@mail.gmail.com> <1199977668.36543.12.camel@xenon> <1a5f1a2d0801100910r1316d24dibb2b12720dfda207@mail.gmail.com> <1200009515.36543.27.camel@xenon> <1a5f1a2d0801101837r338b5453m7a8f673e3b03833e@mail.gmail.com> <1200021436.36543.40.camel@xenon> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-pf@freebsd.org Subject: Re: Forwarding another host X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Jan 2008 13:18:38 -0000 On 1/10/08, Michal Varga wrote: > > > On Thu, 2008-01-10 at 21:37 -0500, Rodrique Heron wrote: > > > > > > > Sorry for the duplicate, I forgot to CC the list. > > > > Both host are in the same broadcast domain,connected to the same > > switch. > > > > INTERNET > > | > > | > > PIX Firewall > > | > > | > > SWITCH*---*HOSTA 192.168.2.14 > > * > > | > > | > > * > > HOSTB 192.168.2.27 > > > > > > ### /etc/pf.conf > > ext_if = "em0" > > int_if = "lo0" > > > > host_ip = "192.168.2.14" > > jail_ip = "192.168.2.18" > > external_host = "192.168.2.27" > > > > rdr on $ext_if proto tcp from any to $host_ip port 22 -> > > $external_host port 22 > > rdr on $ext_if proto tcp from any to $host_ip port 26 -> $jail_ip port > > 22 > > > > pass in quick all > > pass out quick all > > > Ok, so if I understand this correctly, you are trying to redirect > incoming connections from the internet through HOSTA to HOSTB. The > problem I see is that you don't translate your packets on the way back, > so something like this happens (we will call the INTERNET/PIX as > HOST-X): > > 1. HOST-X sends ssh request to HOST-A > > 2. HOST-A redirects the request to HOST-B > > 3. HOST-B sees that there is a request to ssh from HOST-X (remember, the > packet was redirected, not translated to look as if it originated from > HOST-A) > > 4. So HOST-B opens the ssh connection and sends a reply to HOST-X - I'm > ready. > > 5. HOST-X now sees that HOST-B is replying with "here is your ssh", but > HOST-X contacted HOST-A in the first place, no HOST-B, so it discards > this connection, he doesn't know why some HOST-B is sending him > anything. > > > It's 4.15 AM here so I hope I didn't get the scenario wrong, but if this > is the case, I think your problem is obvious.. Yep! I understand perfectly, now is there anything I can do on the pix side to allow the traffic back to HOST-A ? Thanks m. > > > > -- > Michal Varga > Stonehenge > >