Stuart Henderson writes:
> i think it's simpler if you write this as one rule:
>
> pass in quick on $ext_if proto tcp from $work_hosts to $ssh_host \
> port ssh rdr-to $ssh_host modulate state
Not quite, since $ssh_host is on the private IP network
This is the rule
pass in log quick on $ext_if inet proto tcp from $work_hosts to ($ext_if) \
port ssh rdr-to $ssh_host $tcp_flags tag ext_ssh
> is there any change if you remove 'modulate state'?
Nope.
> do you have any other 'match' rules that would apply to these packets?
The redirection works, as this log shows. vr0=ext_if, vr1=int_if, I've
replaced the name of the connectiong host with $work_hosts, the IP of the
ssh_host with $ssh_host, and the IP of my gateway with GWIP.
May 25 21:40:41.598026 rule 24/(match) pass in on vr0: $work_hosts.6935 >
GWIP.ssh: S 2571626156:2571626156(0) win 5840 <mss 1380,sackOK,timestamp
556768519[|tcp]> (DF) [tos 0x60]
May 25 21:40:41.598137 rule 26/(match) pass out on vr1: $work_hosts.6935 >
$ssh_host.ssh: S 2973802996:2973802996(0) win 5840 <mss 1380,sackOK,timestamp
556768519[|tcp]> [tos 0x60]
> reduce the ruleset to the minimum needed for the redirection and anything
> critical; if it still shows the problem then it would be useful to post
> the ruleset.
---------------------------------------------------------------
This message and any attachments may contain Cypress (or its
subsidiaries) confidential information. If it has been received
in error, please advise the sender and immediately delete this
message.
---------------------------------------------------------------
