Date: Wed, 9 Apr 2008 17:05:28 -0500 From: Josh Paetzel <josh@tcbug.org> To: questions@freebsd.org Subject: PF appears to ignore packets or at leaaast sees them differently than tcpdump Message-ID: <200804091705.33621.josh@tcbug.org>
next in thread | raw e-mail | index | archive | help
--nextPart1846052.EGfZOi7WW1 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline I'm trying to make use of ssh using tun devices. So I have box A with a tu= n0=20 10.3.10.1/30 creating a tunnel to box B which has a tun10 10.3.10.230 sshd listens on port 2020 on box A. =46rom box B, ssh 10.3.10.1 -p 2020 works as expected. Here's my problem. I'd like to ssh in to box A from box C, in this case=20 sitting on 76.17.219.196. So I set up the following PF rules on box B... rdr on em0 proto tcp from any to $me port 2020 -> 10.3.10.1 port 2020 pass in route-to tun10 proto tcp from any to 10.3.10.1 port 2020 Now, from box C, ssh $me -p 2020 times out, and the reason why is box A see= s=20 the traffic coming from 76.17.219.196 and replies out it's default route. = No=20 big deal, I should be able to fix that with route-to rules. So box A gets.= =2E. pass out on em0 route-to tun0 proto tcp from any to any port 2020 Ideally this rule would be more specific, but I've been getting looser and= =20 looser with it trying to see why it won't match. # tcpdump -i em0 port 2020 listening on em0, link-type EN10MB (Ethernet), capture size 96 bytes 21:44:19.408264 IP 10.3.10.1.xinupageserver >=20 c-76-17-219-196.hsd1.mn.comcast.net.49242: S 349765613:349765613(0) ack=20 97403528 win 65535 <mss 1460,nop,wscale 1,nop,nop,timestamp 7877043=20 175504784,sackOK,eol> 21:44:22.408191 IP 10.3.10.1.xinupageserver >=20 c-76-17-219-196.hsd1.mn.comcast.net.49242: S 349765613:349765613(0) ack=20 97403528 win 65535 <mss 1460,nop,wscale 1,nop,nop,timestamp 7880043=20 175504784,sackOK,eol> I thought maybe the state table was involved... # pfctl -s state no output Why are packets going out em0 and ignoring my route-to rule? Ideas, hints, feats of magic? =2D-=20 Thanks, Josh Paetzel PGP: 8A48 EF36 5E9F 4EDA 5A8C 11B4 26F9 01F1 27AF AECB --nextPart1846052.EGfZOi7WW1 Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.8 (FreeBSD) iEYEABECAAYFAkf9Pa0ACgkQJvkB8Sevrsv4dgCff2+vPyorTr2wbsl8UxQB6seb mSAAoIe9zOVhAThkpmA7OXLBej8+0yHN =S5xx -----END PGP SIGNATURE----- --nextPart1846052.EGfZOi7WW1--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200804091705.33621.josh>