openBSD(4.2) and 4.3-beta /etc/pf.conf fragment # ---v--- pass in log quick on em0 inet proto tcp \ from !<ssh_pests> to (em0:0) port 22 \ tag SSHVPN flags S/SA keep state \ (max-src-conn-rate 3/120, overload <ssh_pests> flush global) \ label R1 # pass out log quick on em1 tagged SSHVPN keep state \ label R2 # block log all label R3 # ---^---
In the above rule set, "R2" does not "matches" anything/ever. It is silent to pflog0. The traffic that should be passed by R2 instead posts in pflog0 as blocked by R3. Something about the sshd's tcp decapsulization or pf's relationship with it is loosing the tag SSHVPN. Without the ability to tag the ssh tunneled traffic post decapsulization, I don't know how to do the differentiated handling I need. e.g. sshd -w from inside via my wifi vs. sshd -w from outside to inside. I've posted a form of this question before but I've focused it further here. The ssh mail-list folks allege it's a pf issue. Now, I know that ssh -w flows via tun(n) interfaces. The following rules set flows the outside to inside traffic BUT THERE'S NO LINKAGE BETWEEN R1 AND R2. Putting "tagged SSHVPN" on R2 will cause R2 to "not match" and therefore "not pass" the tun traffic. # ---v--- pass in log quick on em0 inet proto tcp \ from !<ssh_pests> to (em0:0) port 443 \ tag SSHVPN flags S/SA keep state \ (max-src-conn-rate 3/120, overload <ssh_pests> flush global) \ label R1 # pass in log quick on tun inet \ from (tun:peer) to any \ tag VTUNPKTS keep state label R2 # pass out log quick on inside inet \ tagged VTUNPKTS keep state label R3 # ---^--- Is is this a bug or is there a way that R2 can "know" where the tun traffic is ingressing from. What I think I want to be able to effect is... # ---v--- pass in log quick on em0 inet proto tcp \ from !<ssh_pests> to (em0:0) port 443 \ tag SSHVPN flags S/SA keep state \ (max-src-conn-rate 3/120, overload <ssh_pests> flush global) \ label R1 # pass in log quick on tun inet \ tagged SSHVPN \ tag VTUNPKTS keep state label R2 # pass out log quick on inside inet \ tagged VTUNPKTS keep state label R3 # ---^--- Thanks,
