pf redirecting single ip - BSD

This is a discussion on pf redirecting single ip - BSD ; Hello, I've got a pf machine that is redirecting ssh traffic from the internet to an internal ssh server. Now i want to redirect only one external ip not to the ssh server, but to another box. My existing rules ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: pf redirecting single ip

  1. pf redirecting single ip

    Hello,
    I've got a pf machine that is redirecting ssh traffic from the internet
    to an internal ssh server. Now i want to redirect only one external ip not
    to the ssh server, but to another box. My existing rules look roughly like:

    rdr on $ext_if inet proto tcp from any to any port 22 -> $ip1 port 22
    pass in quick on $ext_if inet proto tcp from any to $ip1 flags S/SA keep
    state

    That works. Now before the rdr rule i've added:
    rdr on $ext_if inet proto tcp from $external_ip to $ip2 port 22 -> $ip2 port
    22
    and a pass rule
    pass in quick on $ext_if inet proto tcp from $external_ip to $ip2 port 22
    flags S/SA keep state

    but the redirect ends up at the ssh server, not the second box. Any help
    appreciated.
    Thanks.
    Dave.



  2. Re: pf redirecting single ip

    Dave wrote:
    > Hello,
    > I've got a pf machine that is redirecting ssh traffic from the internet
    > to an internal ssh server. Now i want to redirect only one external ip not
    > to the ssh server, but to another box. My existing rules look roughly like:
    >
    > rdr on $ext_if inet proto tcp from any to any port 22 -> $ip1 port 22
    > pass in quick on $ext_if inet proto tcp from any to $ip1 flags S/SA keep
    > state
    >
    > That works. Now before the rdr rule i've added:
    > rdr on $ext_if inet proto tcp from $external_ip to $ip2 port 22 -> $ip2 port
    > 22
    > and a pass rule
    > pass in quick on $ext_if inet proto tcp from $external_ip to $ip2 port 22
    > flags S/SA keep state
    >
    > but the redirect ends up at the ssh server, not the second box. Any help
    > appreciated.


    Why not 'from any', like above? I'd imagine that'd do the trick.

    Joachim

  3. Re: pf redirecting single ip

    On Wed, 17 May 2006 02:59:13 GMT, Dave wrote:

    > rdr on $ext_if inet proto tcp from $external_ip to $ip2 port 22 -> $ip2 port
    > 22


    This means you're replacing destination address $ip2 port 22 with
    address $ip2 port 22, i.e. you're not changing anything it at all.

    You want something like

    rdr ... from $src to $old_dest port 22 -> $new_dest

    and then

    pass in .. from $src to $new_dest port 22

    where $old_dest is the destination address the SSH client connects
    to (i.e. your own external address, or one of them, if you have
    several), and $new_dest is your local address of the SSH server
    you want to redirect the client to. $src is the address of the
    client.

    For packets from source address $src to destination address
    $old_dest port 22, the rdr rule will replace the destination
    address $old_dest with $new_dest.

    $old_dest == $new_dest makes no sense (without translating
    the destination port), that wouldn't require any redirection
    at all

    Daniel

+ Reply to Thread