Port redirection just not working!

[Daniel Hartmeier]

On Wed, Feb 01, 2006 at 09:58:45AM -0600, Keith Bottner wrote:

> I am having a problem getting packet filter to redirect incoming traffic
> destined for a specific IP and port to an internal DMZ host. Interestingly
> enough I am not having a problem doing the same with SSH just with these
> nonstandard ports. I was originally redirecting the traffic and then placing
> filtering rules to pass the traffic but since I could not get that to work I
> just tried having the redirection rules pass the traffic directly bypassing
> the filtering rules, and this does NOT work either. I would appreciate any
> insight someone can give me to what I am doing wrong as I have read the
> manual several times and googled forever with no luck.

Is $dmz_clip_addr's default gateway properly set to the pf box' vr0
address?

Otherwise run tcpdump on the pf box. You should see the TCP SYN with the
yet-untranslated destination address arrive in on $ext_if, then pass out
on $dmz_if with the destination address replaced ($dmz_clip_addr). Then
you should see the TCP SYN+ACK arrive in on $dmz_if (yet-untranslated from
$dmz_clip_addr), then out on $ext_if (with source address translated
back). It depends on where, exactly, in this sequence things go wrong.

For instance, with the wrong default gateway on $dmz_clip_addr, the pf
box wouldn't get the SYN+ACK back (since it's sent to a different
gateway).

This assumes you're connecting from an external source. If it's an
internal one, replace $ext_if with $int_if above. For a source within
the DMZ, the redirection isn't supposed to work at all.

Daniel