rdr only works for some ports

Fri, 19 Aug 2005 10:40:26 -0700 

I'm having trouble getting rdr to work.  Here's the configuration:
The host on which pf is running has it's own services, particularly HTTP and SSH, so I set up a pool of other (external) addresses to use for NAT use. Thus, I have my aliases set up in /etc/rc.conf: 

ifconfig_fxp0="inet x.y.z.5  netmask 255.255.255.0"
ifconfig_fxp1="inet 192.168.1.5  netmask 255.255.255.0"
ifconfig_fxp0_alias0="x.y.z.20 netmask 0xffffffff"
ifconfig_fxp0_alias1="x.y.z.21 netmask 0xffffffff"
ifconfig_fxp0_alias2="x.y.z.22 netmask 0xffffffff"
ifconfig_fxp0_alias3="x.y.z.23 netmask 0xffffffff"
ifconfig_fxp0_alias4="x.y.z.24 netmask 0xffffffff"

# And my pf.conf file is set up like this:

ext_if="fxp0"
external_addr="x.y.z.5"
# These are my external NAT addresses
nat1="x.y.z.21"
nat2="x.y.z.22"
nat3="x.y.z.23"
nat4="x.y.z.24"
int_if="fxp1"
internal_net="192.168.1.0/24"
table <nat_pool> { $nat1, $nat2, $nat3, $nat4 }


# I then have NAT set like this:

nat on $ext_if inet from $internal_net to any -> <nat_pool>
# Next, I want SSH and TAPI to go to particular machines on the internal net: 

rdr on $ext_if proto tcp from any to $nat1/32 port 22 -> 192.168.1.101
rdr on $ext_if proto tcp from any to $nat1/32 port 5000 -> 192.168.1.7
# And some of my internal users connect to X11 clients, so I map some X11 ports: 

rdr on $ext_if proto tcp from any to <nat_pool> port 6104 -> 192.168.1.104
rdr on $ext_if proto tcp from any to <nat_pool> port 6105 -> 192.168.1.105
rdr on $ext_if proto tcp from any to <nat_pool> port 6106 -> 192.168.1.106


Except for the "x.y.z", everything is exactly taken from the files.
The problem: connecting to the X11 ports work (DISPLAY=nat1.domain:104 works from an external Internet address), but ssh to nat1 times out. Yes, I know 192.168.1.101 is running a valid SSH server on port 22, since I also have a Netgear NAT router pointing to it that works just fine. The same for the system listening on port 5000.
Yes, I tried substituting <nat_pool> for $nat1/32 and visa versa an a test, but the end result is the same: Port 6104 works, but ports 22 and 5000 do not. 

Is there anything obvious I'm doing wrong?  Is this a FAQ?

--
Steve

_______________________________________________
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to