Incoming ssh doesn't quite work
Gilberto Villani Brito
linux at giboia.org
Wed Jan 24 14:05:45 UTC 2007
Lets see your rules:
> ---8<---
> ext_if="xl2"
> ext_addr="172.16.1.33"
> wireless_if="xl1"
> wireless_net="192.168.100.0/24"
> proxy_addr="192.168.100.1"
>
> nat on $ext_if from $wireless_net to any port { 22, 443 } -> $ext_if
>
> rdr on $wireless_if inet proto tcp from any to any port 80 ->
> $proxy_addr port 3080
I didn't understand this rule, maybe without that rule, can work.
> rdr on $ext_if proto tcp from any to $ext_if port { 22, 80 } -> ($ext_if)
>
> pass in on $wireless_if inet proto tcp from $wireless_net to any port
> { 22, 25, 110, 443, 3080 } keep state
> pass in on $ext_if inet proto tcp from any to $ext_addr port { 22, 80
> } flags S/SA synproxy state
>
This rule is wrong!!!
> pass out on $wireless_if inet proto tcp from $wireless_net to any port
> { 22, 25, 110, 443, 3080 } keep state
The right is:
pass out on $wireless_if inet proto tcp from any to $wireless_net port
{ 22, 25, 110, 443, 3080 } keep state
> pass out on $ext_if inet proto tcp from any to any port { 22, 80 }
> flags S/SA synproxy state
> ---8<---
Gilberto
2007/1/23, Isaac Grover <isaac.grover at gmail.com>:
> Good afternoon,
>
> I have a FreeBSD 6.1 box providing authentication services for a local
> wireless hotspot. "ext_if" (xl2) connects to the DSL modem,
> "wireless_if" (xl1) connects to the wireless router. Outbound http
> and https work just fine, but outbound ssh and inbound ssh don't work
> at all. Port forwarding on the DSL modem has been enabled, and I can
> see the inbound SSH requests on ext_if, sshd is actively listening on
> the required port, but the sshd logs say about connection attempts.
>
> Is there something else that needs to be configured in pf.conf for
> inbound ssh to function correctly?
>
> ---8<---
> ext_if="xl2"
> ext_addr="172.16.1.33"
> wireless_if="xl1"
> wireless_net="192.168.100.0/24"
> proxy_addr="192.168.100.1"
>
> nat on $ext_if from $wireless_net to any port { 22, 443 } -> $ext_if
>
> rdr on $wireless_if inet proto tcp from any to any port 80 ->
> $proxy_addr port 3080
> rdr on $ext_if proto tcp from any to $ext_if port { 22, 80 } -> ($ext_if)
>
> pass in on $wireless_if inet proto tcp from $wireless_net to any port
> { 22, 25, 110, 443, 3080 } keep state
> pass in on $ext_if inet proto tcp from any to $ext_addr port { 22, 80
> } flags S/SA synproxy state
>
> pass out on $wireless_if inet proto tcp from $wireless_net to any port
> { 22, 25, 110, 443, 3080 } keep state
> pass out on $ext_if inet proto tcp from any to any port { 22, 80 }
> flags S/SA synproxy state
> ---8<---
>
> Thank you,
> --
> Isaac Grover, Owner
> Quality Computer Services of River Falls, Wisconsin
> Affordable I. T. Consulting, Web Design, and Web Hosting.
> Commercial and Residential Inquiries Welcomed.
> Web: http://www.qcs-rf.com
> _______________________________________________
> freebsd-pf at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"
>
More information about the freebsd-pf
mailing list