Forwarding another host
Michal Varga
varga.michal at gmail.com
Thu Jan 10 19:17:20 PST 2008
On Thu, 2008-01-10 at 21:37 -0500, Rodrique Heron wrote:
>
> Sorry for the duplicate, I forgot to CC the list.
>
> Both host are in the same broadcast domain,connected to the same
> switch.
>
> INTERNET
> |
> |
> PIX Firewall
> |
> |
> SWITCH*---*HOSTA 192.168.2.14
> *
> |
> |
> *
> HOSTB 192.168.2.27
>
>
> ### /etc/pf.conf
> ext_if = "em0"
> int_if = "lo0"
>
> host_ip = "192.168.2.14"
> jail_ip = "192.168.2.18"
> external_host = "192.168.2.27"
>
> rdr on $ext_if proto tcp from any to $host_ip port 22 ->
> $external_host port 22
> rdr on $ext_if proto tcp from any to $host_ip port 26 -> $jail_ip port
> 22
>
> pass in quick all
> pass out quick all
>
Ok, so if I understand this correctly, you are trying to redirect
incoming connections from the internet through HOSTA to HOSTB. The
problem I see is that you don't translate your packets on the way back,
so something like this happens (we will call the INTERNET/PIX as
HOST-X):
1. HOST-X sends ssh request to HOST-A
2. HOST-A redirects the request to HOST-B
3. HOST-B sees that there is a request to ssh from HOST-X (remember, the
packet was redirected, not translated to look as if it originated from
HOST-A)
4. So HOST-B opens the ssh connection and sends a reply to HOST-X - I'm
ready.
5. HOST-X now sees that HOST-B is replying with "here is your ssh", but
HOST-X contacted HOST-A in the first place, no HOST-B, so it discards
this connection, he doesn't know why some HOST-B is sending him
anything.
It's 4.15 AM here so I hope I didn't get the scenario wrong, but if this
is the case, I think your problem is obvious..
m.
>
--
Michal Varga <varga.michal at gmail.com>
Stonehenge
More information about the freebsd-pf
mailing list