PF appears to ignore packets or at leaaast sees them differently
than tcpdump
Josh Paetzel
josh at tcbug.org
Wed Apr 9 22:30:01 UTC 2008
I'm trying to make use of ssh using tun devices. So I have box A with a tun0
10.3.10.1/30 creating a tunnel to box B which has a tun10 10.3.10.230
sshd listens on port 2020 on box A.
From box B, ssh 10.3.10.1 -p 2020 works as expected.
Here's my problem. I'd like to ssh in to box A from box C, in this case
sitting on 76.17.219.196. So I set up the following PF rules on box B...
rdr on em0 proto tcp from any to $me port 2020 -> 10.3.10.1 port 2020
pass in route-to tun10 proto tcp from any to 10.3.10.1 port 2020
Now, from box C, ssh $me -p 2020 times out, and the reason why is box A sees
the traffic coming from 76.17.219.196 and replies out it's default route. No
big deal, I should be able to fix that with route-to rules. So box A gets...
pass out on em0 route-to tun0 proto tcp from any to any port 2020
Ideally this rule would be more specific, but I've been getting looser and
looser with it trying to see why it won't match.
# tcpdump -i em0 port 2020
listening on em0, link-type EN10MB (Ethernet), capture size 96 bytes
21:44:19.408264 IP 10.3.10.1.xinupageserver >
c-76-17-219-196.hsd1.mn.comcast.net.49242: S 349765613:349765613(0) ack
97403528 win 65535 <mss 1460,nop,wscale 1,nop,nop,timestamp 7877043
175504784,sackOK,eol>
21:44:22.408191 IP 10.3.10.1.xinupageserver >
c-76-17-219-196.hsd1.mn.comcast.net.49242: S 349765613:349765613(0) ack
97403528 win 65535 <mss 1460,nop,wscale 1,nop,nop,timestamp 7880043
175504784,sackOK,eol>
I thought maybe the state table was involved...
# pfctl -s state
no output
Why are packets going out em0 and ignoring my route-to rule?
Ideas, hints, feats of magic?
--
Thanks,
Josh Paetzel
PGP: 8A48 EF36 5E9F 4EDA 5A8C 11B4 26F9 01F1 27AF AECB
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 195 bytes
Desc: This is a digitally signed message part.
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20080409/021839f0/attachment.pgp
More information about the freebsd-questions
mailing list