Forwarding another host

[Rodrique Heron]

On 1/10/08, Michal Varga <varga.michal at gmail.com> wrote:
>
>
> On Thu, 2008-01-10 at 21:37 -0500, Rodrique Heron wrote:
> >
>
>
>
> > Sorry for the duplicate, I forgot to CC the list.
> >
> > Both host are in the same broadcast domain,connected to the same
> > switch.
> >
> >  INTERNET
> >     |
> >     |
> >  PIX Firewall
> >     |
> >     |
> >  SWITCH*---*HOSTA 192.168.2.14
> >    *
> >    |
> >    |
> >    *
> >   HOSTB 192.168.2.27
> >
> >
> > ###  /etc/pf.conf
> > ext_if = "em0"
> > int_if = "lo0"
> >
> > host_ip = "192.168.2.14"
> > jail_ip = "192.168.2.18"
> > external_host = "192.168.2.27"
> >
> > rdr on $ext_if proto tcp from any to $host_ip port 22 ->
> > $external_host port 22
> > rdr on $ext_if proto tcp from any to $host_ip port 26 -> $jail_ip port
> > 22
> >
> > pass in quick all
> > pass out quick all
> >
> Ok, so if I understand this correctly, you are trying to redirect
> incoming connections from the internet through HOSTA to HOSTB. The
> problem I see is that you don't translate your packets on the way back,
> so something like this happens (we will call the INTERNET/PIX as
> HOST-X):
>
> 1. HOST-X sends ssh request to HOST-A
>
> 2. HOST-A redirects the request to HOST-B
>
> 3. HOST-B sees that there is a request to ssh from HOST-X (remember, the
> packet was redirected, not translated to look as if it originated from
> HOST-A)
>
> 4. So HOST-B opens the ssh connection and sends a reply to HOST-X - I'm
> ready.
>
> 5. HOST-X now sees that HOST-B is replying with "here is your ssh", but
> HOST-X contacted HOST-A in the first place, no HOST-B, so it discards
> this connection, he doesn't know why some HOST-B is sending him
> anything.
>
>
> It's 4.15 AM here so I hope I didn't get the scenario wrong, but if this
> is the case, I think your problem is obvious..


Yep! I understand perfectly, now is there anything I can do on the pix side
to allow the traffic back to HOST-A ?

Thanks


m.
>
> >
> --
> Michal Varga <varga.michal at gmail.com>
> Stonehenge
>
>