From owner-freebsd-pf@FreeBSD.ORG Sat Aug 20 02:13:07 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7502D16A41F for ; Sat, 20 Aug 2005 02:13:07 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [62.65.145.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id 90AE043D45 for ; Sat, 20 Aug 2005 02:13:06 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (dhartmei@localhost [127.0.0.1]) by insomnia.benzedrine.cx (8.13.4/8.12.11) with ESMTP id j7K2D2GI024069 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Sat, 20 Aug 2005 04:13:03 +0200 (MEST) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.13.4/8.12.10/Submit) id j7K2D25H002837; Sat, 20 Aug 2005 04:13:02 +0200 (MEST) Date: Sat, 20 Aug 2005 04:13:02 +0200 From: Daniel Hartmeier To: Steven Schoch Message-ID: <20050820021302.GB31370@insomnia.benzedrine.cx> References: <43061982.2040907@spamcop.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <43061982.2040907@spamcop.net> User-Agent: Mutt/1.5.6i Cc: freebsd-pf@freebsd.org Subject: Re: rdr only works for some ports X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 20 Aug 2005 02:13:07 -0000 On Fri, Aug 19, 2005 at 10:40:18AM -0700, Steven Schoch wrote: > Is there anything obvious I'm doing wrong? Is this a FAQ? There are a couple of possible explanations, the two simplest ones are: a) make sure routing from the pf box to 192.168.1.101 work: on the pf box itself, run 'telnet 192.168.1.101 22' and verify you get a connection to the sshd and see the version string. b) check that routing from 192.168.1.101 to external addresses goes through the pf box (and not, for instance, through that other NAT router you mentioned). replies from the sshd to the external ssh client must pass back through the pf box, so it can reverse the address translation. If it's neither of those two, run tcpdump on the external and internal interface of the pf box, as well as on the interface of 192.168.1.101. Try to establish a connection from an external client and check where the TCP SYN goes through, and where the SYN+ACK reply goes through. Does the sshd box receive the SYN and send out the SYN+ACK? If so, the SYN+ACK gets lost somewhere. Daniel