0

I have a network router that connects three networks with the outside world. One of the internal networks is public facing the other two are not and connected via NAT. I am part of a larger network and the router has the ip 1.2.3.1 in that larger network, but this ip cannot connect to the outside and only traffic from external_net is allowed.

I now want to do port forwarding on the router ip to ssh on a machine in the nat. I am using pf on a freebsd.

My pf.conf is:

#define network macros                                                                                                                                                                                                                                                                                                        
uplink_iface = "igb4"
external_iface = "igb3"
l_iface = "igb5"
i_iface = "igb2"
d_iface = "igb1"
external_host = "1.2.3.1/32"

external_net = "1.2.4.0/25"
l_net = $l_iface:network
i_net = $i_iface:network
d_net = $d_iface:network

set skip on lo0

# tell the sender that they are running into pf                                                                                                                                                                                                                                                                               
set block-policy return
# do not keep states unnecessarily long                                                                                                                                                                                                                                                                                       
set optimization aggressive

#Nat config                                                                                                                                                                                                                                                                                                       
nat on $uplink_iface from $l_net to any -> $external_host
nat on $uplink_iface from $i_net to any -> $external_host
nat on $uplink_iface from $d_net to any -> $external_host


rdr pass log (all) on { $uplink_iface, $i_iface, $e_iface } proto tcp from any to $external_host port 6987 -> 192.168.2.2 port 22

#do not allow anything but the below rules                                                                                                                                                                                                                                                                                    
block all

# allow incoming traffic only to our external IP range/server                                                                                                                                                                                                                                                                 
pass from any to $external_net keep state

# allow any outgoing traffic from server and employee machines (tbd)                                                                                                                                                                                                                                                          
pass from { $d_net, $i_net, $l_net, $external_net } to any keep state

What I know:

  • somehow this does not work from the outside as it times out
  • from the inside (i.e., any of the defined nets) a ssh on the port works * the tcpdump of the pflog shows that in both cases the port forwarding is triggered.
  • a tpcdump on the corresponding interfaces confirmed that when the request is from one of the internal interfaces it is forwarded, when it is external it is not.
  • when removing block all everything works. However, I do not want to drop this rule

Why can't I connect via ssh from the outside but from the inside?

2
  • too noisy and vague description TBH, but first q-n is if you tcpdumped pflog why didnt't you tcpdump the SSH traffic itself to verify it goes as you imagine
    – poige
    Commented Feb 5, 2021 at 6:10
  • @poige How can I make the description more precise. This is 1:1 my pf.conf (besides changed IPs obviously). What do you mean by tcpdump the ssh traffic? I.e., each interface with an ssh filter?
    – Sim
    Commented Feb 5, 2021 at 10:25

1 Answer 1

0

It is not sufficient to simply redirect the traffic but you also have to allow it. I guess because the block all rule comes after the rdr pass, block takes precedent.

pass proto tcp from any to 192.168.2.2 port 22 keep state

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .