Date: Sat, 20 Aug 2005 04:13:02 +0200 From: Daniel Hartmeier <daniel@benzedrine.cx> To: Steven Schoch <schoch@spamcop.net> Cc: freebsd-pf@freebsd.org Subject: Re: rdr only works for some ports Message-ID: <20050820021302.GB31370@insomnia.benzedrine.cx> In-Reply-To: <43061982.2040907@spamcop.net> References: <43061982.2040907@spamcop.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Aug 19, 2005 at 10:40:18AM -0700, Steven Schoch wrote:
> Is there anything obvious I'm doing wrong? Is this a FAQ?
There are a couple of possible explanations, the two simplest ones are:
a) make sure routing from the pf box to 192.168.1.101 work: on the pf
box itself, run 'telnet 192.168.1.101 22' and verify you get a
connection to the sshd and see the version string.
b) check that routing from 192.168.1.101 to external addresses goes
through the pf box (and not, for instance, through that other
NAT router you mentioned). replies from the sshd to the external
ssh client must pass back through the pf box, so it can reverse
the address translation.
If it's neither of those two, run tcpdump on the external and internal
interface of the pf box, as well as on the interface of 192.168.1.101.
Try to establish a connection from an external client and check where
the TCP SYN goes through, and where the SYN+ACK reply goes through. Does
the sshd box receive the SYN and send out the SYN+ACK? If so, the
SYN+ACK gets lost somewhere.
Daniel
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050820021302.GB31370>